76284: Issue 927: 401 Community or Collection Administrator editing Collection Authorization Group REST Implementation

- implement Community and Collection admin search
- implement the CollectionAdminFeature and CommunityAdminFeature Authorization feature

dspace-api/src/main/java/org/dspace/authorize/AuthorizeSolrServiceImpl.java

@@ -0,0 +1,232 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+package org.dspace.authorize;
+
+import java.sql.SQLException;
+import java.util.ArrayList;
+import java.util.List;
+
+import org.apache.commons.lang3.StringUtils;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.dspace.authorize.service.AuthorizeService;
+import org.dspace.authorize.service.AuthorizeSolrService;
+import org.dspace.content.Collection;
+import org.dspace.content.Community;
+import org.dspace.core.Context;
+import org.dspace.discovery.DiscoverQuery;
+import org.dspace.discovery.DiscoverResult;
+import org.dspace.discovery.IndexableObject;
+import org.dspace.discovery.SearchService;
+import org.dspace.discovery.SearchServiceException;
+import org.dspace.discovery.indexobject.IndexableCollection;
+import org.dspace.discovery.indexobject.IndexableCommunity;
+import org.dspace.eperson.Group;
+import org.springframework.beans.factory.annotation.Autowired;
+
+/**
+ * AuthorizeSolrService uses Solr to check if a given context's user has ADMIN rights to any DSO of a given type.
+ */
+public class AuthorizeSolrServiceImpl implements AuthorizeSolrService {
+
+    private static Logger log = LogManager.getLogger(AuthorizeSolrServiceImpl.class);
+
+    @Autowired
+    private SearchService searchService;
+    @Autowired
+    private AuthorizeService authorizeService;
+
+    protected AuthorizeSolrServiceImpl() {
+
+    }
+
+    /**
+     * Checks that the context's current user is a community admin in the site.
+     *
+     * @param context   context with the current user
+     * @return          true if the current user is a community admin in the site
+     *                  false when this is not the case, or an exception occurred
+     */
+    @Override
+    public boolean isCommunityAdmin(Context context) throws SQLException {
+        return performCheck(context, "search.resourcetype:Community");
+    }
+
+    /**
+     * Checks that the context's current user is a collection admin in the site.
+     *
+     * @param context   context with the current user
+     * @return          true if the current user is a collection admin in the site
+     *                  false when this is not the case, or an exception occurred
+     */
+    @Override
+    public boolean isCollectionAdmin(Context context) throws SQLException {
+        return performCheck(context, "search.resourcetype:Collection");
+    }
+
+    /**
+     * Checks that the context's current user is a community or collection admin in the site.
+     *
+     * @param context   context with the current user
+     * @return          true if the current user is a community or collection admin in the site
+     *                  false when this is not the case, or an exception occurred
+     */
+    @Override
+    public boolean isComColAdmin(Context context) throws SQLException {
+        return performCheck(context,
+            "(search.resourcetype:Community OR search.resourcetype:Collection)");
+    }
+
+    /**
+     *  Finds communities for which the logged in user has ADMIN rights.
+     *
+     * @param context   the context whose user is checked against
+     * @param query     the optional extra query
+     * @param offset    the offset for pagination
+     * @param limit     the amount of dso's to return
+     * @return          a list of communities for which the logged in user has ADMIN rights.
+     * @throws SearchServiceException
+     */
+    @Override
+    public List<Community> findAdminAuthorizedCommunity(Context context, String query, int offset, int limit)
+        throws SearchServiceException, SQLException {
+        List<Community> communities = new ArrayList<>();
+        query = formatCustomQuery(query);
+        DiscoverResult discoverResult = getDiscoverResult(context, query + "search.resourcetype:Community",
+            offset, limit);
+        for (IndexableObject solrCollections : discoverResult.getIndexableObjects()) {
+            Community community = ((IndexableCommunity) solrCollections).getIndexedObject();
+            communities.add(community);
+        }
+        return communities;
+    }
+
+    /**
+     *  Finds the amount of communities for which the logged in user has ADMIN rights.
+     *
+     * @param context   the context whose user is checked against
+     * @param query     the optional extra query
+     * @return          the number of communities for which the logged in user has ADMIN rights.
+     * @throws SearchServiceException
+     */
+    @Override
+    public int countAdminAuthorizedCommunity(Context context, String query)
+        throws SearchServiceException, SQLException {
+        query = formatCustomQuery(query);
+        DiscoverResult discoverResult = getDiscoverResult(context, query + "search.resourcetype:Community",
+            null, null);
+        return (int)discoverResult.getTotalSearchResults();
+    }
+
+    /**
+     *  Finds collections for which the logged in user has ADMIN rights.
+     *
+     * @param context   the context whose user is checked against
+     * @param query     the optional extra query
+     * @param offset    the offset for pagination
+     * @param limit     the amount of dso's to return
+     * @return          a list of collections for which the logged in user has ADMIN rights.
+     * @throws SearchServiceException
+     */
+    @Override
+    public List<Collection> findAdminAuthorizedCollection(Context context, String query, int offset, int limit)
+        throws SearchServiceException, SQLException {
+        List<Collection> collections = new ArrayList<>();
+        if (context.getCurrentUser() == null) {
+            return collections;
+        }
+
+        query = formatCustomQuery(query);
+        DiscoverResult discoverResult = getDiscoverResult(context, query + "search.resourcetype:Collection",
+            offset, limit);
+        for (IndexableObject solrCollections : discoverResult.getIndexableObjects()) {
+            Collection collection = ((IndexableCollection) solrCollections).getIndexedObject();
+            collections.add(collection);
+        }
+        return collections;
+    }
+
+    /**
+     *  Finds the amount of collections for which the logged in user has ADMIN rights.
+     *
+     * @param context   the context whose user is checked against
+     * @param query     the optional extra query
+     * @return          the number of collections for which the logged in user has ADMIN rights.
+     * @throws SearchServiceException
+     */
+    @Override
+    public int countAdminAuthorizedCollection(Context context, String query)
+        throws SearchServiceException, SQLException {
+        query = formatCustomQuery(query);
+        DiscoverResult discoverResult = getDiscoverResult(context, query + "search.resourcetype:Collection",
+            null, null);
+        return (int)discoverResult.getTotalSearchResults();
+    }
+
+    private boolean performCheck(Context context, String query) throws SQLException {
+        if (context.getCurrentUser() == null) {
+            return false;
+        }
+
+        try {
+            DiscoverResult discoverResult = getDiscoverResult(context, query, null, null);
+            if (discoverResult.getTotalSearchResults() > 0) {
+                return true;
+            }
+        } catch (SearchServiceException e) {
+            log.error("Failed getting getting community/collection admin status for "
+                + context.getCurrentUser().getEmail() + " The search error is: " + e.getMessage()
+                + " The search resourceType filter was: " + query);
+        }
+        return false;
+    }
+
+    private DiscoverResult getDiscoverResult(Context context, String query, Integer offset, Integer limit)
+        throws SearchServiceException, SQLException {
+        StringBuilder groupQuery = new StringBuilder();
+        List<Group> groups = context.getCurrentUser().getGroups();
+        addGroupToQuery(groupQuery, groups);
+
+        DiscoverQuery discoverQuery = new DiscoverQuery();
+        if (!authorizeService.isAdmin(context)) {
+            query = query + " AND (" +
+                "admin:e" + context.getCurrentUser().getID() + groupQuery.toString() + ")";
+        }
+        discoverQuery.setQuery(query);
+        if (offset != null) {
+            discoverQuery.setStart(offset);
+        }
+        if (limit != null) {
+            discoverQuery.setMaxResults(limit);
+        }
+
+
+        return searchService.search(context, discoverQuery);
+    }
+
+    private void addGroupToQuery(StringBuilder groupQuery, List<Group> groups) {
+        if (groups == null) {
+            return;
+        }
+
+        for (Group group: groups) {
+            groupQuery.append(" OR admin:g");
+            groupQuery.append(group.getID());
+
+            addGroupToQuery(groupQuery, group.getParentGroups());
+        }
+    }
+
+    private String formatCustomQuery(String query) {
+        if (StringUtils.isBlank(query)) {
+            return "";
+        } else {
+            return query + " AND ";
+        }
+    }
+}

dspace-api/src/main/java/org/dspace/authorize/factory/AuthorizeServiceFactory.java

@@ -8,6 +8,7 @@
 package org.dspace.authorize.factory;
 
 import org.dspace.authorize.service.AuthorizeService;
+import org.dspace.authorize.service.AuthorizeSolrService;
 import org.dspace.authorize.service.ResourcePolicyService;
 import org.dspace.services.factory.DSpaceServicesFactory;
 
@@ -23,6 +24,8 @@ public abstract class AuthorizeServiceFactory {
 
     public abstract ResourcePolicyService getResourcePolicyService();
 
+    public abstract AuthorizeSolrService getAuthorizeSolrService();
+
     public static AuthorizeServiceFactory getInstance() {
         return DSpaceServicesFactory.getInstance().getServiceManager()
                                     .getServiceByName("authorizeServiceFactory", AuthorizeServiceFactory.class);

dspace-api/src/main/java/org/dspace/authorize/factory/AuthorizeServiceFactoryImpl.java

@@ -8,6 +8,7 @@
 package org.dspace.authorize.factory;
 
 import org.dspace.authorize.service.AuthorizeService;
+import org.dspace.authorize.service.AuthorizeSolrService;
 import org.dspace.authorize.service.ResourcePolicyService;
 import org.springframework.beans.factory.annotation.Autowired;
 
@@ -23,6 +24,8 @@ public class AuthorizeServiceFactoryImpl extends AuthorizeServiceFactory {
     private AuthorizeService authorizeService;
     @Autowired(required = true)
     private ResourcePolicyService resourcePolicyService;
+    @Autowired(required = true)
+    private AuthorizeSolrService authorizeSolrService;
 
     @Override
     public AuthorizeService getAuthorizeService() {
@@ -33,4 +36,9 @@ public class AuthorizeServiceFactoryImpl extends AuthorizeServiceFactory {
     public ResourcePolicyService getResourcePolicyService() {
         return resourcePolicyService;
     }
+
+    @Override
+    public AuthorizeSolrService getAuthorizeSolrService() {
+        return authorizeSolrService;
+    }
 }

dspace-api/src/main/java/org/dspace/authorize/service/AuthorizeSolrService.java

@@ -0,0 +1,101 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+package org.dspace.authorize.service;
+
+import java.sql.SQLException;
+import java.util.List;
+
+import org.dspace.content.Collection;
+import org.dspace.content.Community;
+import org.dspace.core.Context;
+import org.dspace.discovery.SearchServiceException;
+
+/**
+ * AuthorizeSolrService uses Solr to check if a given context's user has ADMIN rights to any DSO of a given type.
+ */
+public interface AuthorizeSolrService {
+
+    /**
+     * Checks that the context's current user is a community admin in the site.
+     *
+     * @param context   context with the current user
+     * @return          true if the current user is a community admin in the site
+     *                  false when this is not the case, or an exception occurred
+     */
+    boolean isCommunityAdmin(Context context) throws SQLException;
+
+    /**
+     * Checks that the context's current user is a collection admin in the site.
+     *
+     * @param context   context with the current user
+     * @return          true if the current user is a collection admin in the site
+     *                  false when this is not the case, or an exception occurred
+     */
+    boolean isCollectionAdmin(Context context) throws SQLException;
+
+    /**
+     * Checks that the context's current user is a community or collection admin in the site.
+     *
+     * @param context   context with the current user
+     * @return          true if the current user is a community or collection admin in the site
+     *                  false when this is not the case, or an exception occurred
+     */
+    boolean isComColAdmin(Context context) throws SQLException;
+
+    /**
+     * Finds communities for which the current user is admin, AND which match the query.
+     *
+     * @param context   context with the current user
+     * @param query     the query for which to filter the results more
+     * @param offset    used for pagination of the results
+     * @param limit     used for pagination of the results
+     * @return          the number of matching communities
+     * @throws SearchServiceException
+     * @throws SQLException
+     */
+    List<Community> findAdminAuthorizedCommunity(Context context, String query, int offset, int limit)
+        throws SearchServiceException, SQLException;
+
+    /**
+     * Counts communities for which the current user is admin, AND which match the query.
+     *
+     * @param context   context with the current user
+     * @param query     the query for which to filter the results more
+     * @return          the matching communities
+     * @throws SearchServiceException
+     * @throws SQLException
+     */
+    int countAdminAuthorizedCommunity(Context context, String query)
+        throws SearchServiceException, SQLException;
+
+    /**
+     * Finds collections for which the current user is admin, AND which match the query.
+     *
+     * @param context   context with the current user
+     * @param query     the query for which to filter the results more
+     * @param offset    used for pagination of the results
+     * @param limit     used for pagination of the results
+     * @return          the matching collections
+     * @throws SearchServiceException
+     * @throws SQLException
+     */
+    List<Collection> findAdminAuthorizedCollection(Context context, String query, int offset, int limit)
+        throws SearchServiceException, SQLException;
+
+    /**
+     * Counts collections for which the current user is admin, AND which match the query.
+     *
+     * @param context   context with the current user
+     * @param query     the query for which to filter the results more
+     * @return          the number of matching collections
+     * @throws SearchServiceException
+     * @throws SQLException
+     */
+    int countAdminAuthorizedCollection(Context context, String query)
+        throws SearchServiceException, SQLException;
+}

dspace-api/src/main/java/org/dspace/discovery/SolrServiceResourceRestrictionPlugin.java

@@ -115,6 +115,7 @@ public class SolrServiceResourceRestrictionPlugin implements SolrServiceIndexPlu
                                 fieldValue = "e" + resourcePolicy.getEPerson().getID();
                             }
                             document.addField("read", fieldValue);
+                            document.addField("admin", fieldValue);
 
                             // remove the policy from the cache to save memory
                             context.uncacheEntity(resourcePolicy);

dspace-api/src/main/java/org/dspace/eperson/Group.java

@@ -142,7 +142,7 @@ public class Group extends DSpaceObject implements DSpaceObjectLegacySupport {
         return getMembers().contains(e);
     }
 
-    List<Group> getParentGroups() {
+    public List<Group> getParentGroups() {
         return parentGroups;
     }
 

dspace-server-webapp/src/main/java/org/dspace/app/rest/authorization/impl/CollectionAdminFeature.java

@@ -0,0 +1,58 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+package org.dspace.app.rest.authorization.impl;
+
+import java.sql.SQLException;
+
+import org.dspace.app.rest.authorization.AuthorizationFeature;
+import org.dspace.app.rest.authorization.AuthorizationFeatureDocumentation;
+import org.dspace.app.rest.model.BaseObjectRest;
+import org.dspace.app.rest.model.SiteRest;
+import org.dspace.authorize.service.AuthorizeService;
+import org.dspace.authorize.service.AuthorizeSolrService;
+import org.dspace.core.Context;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Component;
+
+/**
+ * The Collection Admin feature. It can be used to verify if the current user is admin of any collection in the site.
+ *
+ * Authorization is granted if the current user has ADMIN permissions for any Collection anywhere in the site, or if the
+ * current user is a site admin.
+ */
+@Component
+@AuthorizationFeatureDocumentation(name = CollectionAdminFeature.NAME,
+    description = "It can be used to verify if the current user is admin of any collection in the site")
+public class CollectionAdminFeature implements AuthorizationFeature {
+
+    public final static String NAME = "isCollectionAdmin";
+
+    @Autowired
+    private AuthorizeService authorizeService;
+    @Autowired
+    private AuthorizeSolrService authorizeSolrService;
+
+    @Override
+    public boolean isAuthorized(Context context, BaseObjectRest object) throws SQLException {
+        if (object instanceof SiteRest) {
+            if (authorizeService.isAdmin(context)) {
+                return true;
+            }
+
+            return authorizeSolrService.isCollectionAdmin(context);
+        }
+        return false;
+    }
+
+    @Override
+    public String[] getSupportedTypes() {
+        return new String[]{
+            SiteRest.CATEGORY + "." + SiteRest.NAME
+        };
+    }
+}

dspace-server-webapp/src/main/java/org/dspace/app/rest/authorization/impl/ComColAdminFeature.java

@@ -0,0 +1,59 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+package org.dspace.app.rest.authorization.impl;
+
+import java.sql.SQLException;
+
+import org.dspace.app.rest.authorization.AuthorizationFeature;
+import org.dspace.app.rest.authorization.AuthorizationFeatureDocumentation;
+import org.dspace.app.rest.model.BaseObjectRest;
+import org.dspace.app.rest.model.SiteRest;
+import org.dspace.authorize.service.AuthorizeService;
+import org.dspace.authorize.service.AuthorizeSolrService;
+import org.dspace.core.Context;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Component;
+
+/**
+ * The ComCol Admin feature. It can be used to verify if the current user is admin of any community or collection in the
+ * site.
+ *
+ * Authorization is granted if the current user has ADMIN permissions for any Community or Collection anywhere in the
+ * site, or if the current user is a site admin.
+ */
+@Component
+@AuthorizationFeatureDocumentation(name = ComColAdminFeature.NAME,
+    description = "It can be used to verify if the current user is admin of any community or collection in the site")
+public class ComColAdminFeature implements AuthorizationFeature {
+
+    public final static String NAME = "isComColAdmin";
+
+    @Autowired
+    private AuthorizeService authorizeService;
+    @Autowired
+    private AuthorizeSolrService authorizeSolrService;
+
+    @Override
+    public boolean isAuthorized(Context context, BaseObjectRest object) throws SQLException {
+        if (object instanceof SiteRest) {
+            if (authorizeService.isAdmin(context)) {
+                return true;
+            }
+
+            return authorizeSolrService.isComColAdmin(context);
+        }
+        return false;
+    }
+
+    @Override
+    public String[] getSupportedTypes() {
+        return new String[]{
+            SiteRest.CATEGORY + "." + SiteRest.NAME
+        };
+    }
+}

dspace-server-webapp/src/main/java/org/dspace/app/rest/authorization/impl/CommunityAdminFeature.java

@@ -0,0 +1,62 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+package org.dspace.app.rest.authorization.impl;
+
+import java.sql.SQLException;
+
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.dspace.app.rest.authorization.AuthorizationFeature;
+import org.dspace.app.rest.authorization.AuthorizationFeatureDocumentation;
+import org.dspace.app.rest.model.BaseObjectRest;
+import org.dspace.app.rest.model.SiteRest;
+import org.dspace.authorize.service.AuthorizeService;
+import org.dspace.authorize.service.AuthorizeSolrService;
+import org.dspace.core.Context;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Component;
+
+/**
+ * The Community Admin feature. It can be used to verify if the current user is admin of any community in the site.
+ *
+ * Authorization is granted if the current user has ADMIN permissions for any Community anywhere in the site, or if the
+ * current user is a site admin.
+ */
+@Component
+@AuthorizationFeatureDocumentation(name = CommunityAdminFeature.NAME,
+    description = "It can be used to verify if the current user is admin of any community in the site")
+public class CommunityAdminFeature implements AuthorizationFeature {
+
+    private static Logger log = LogManager.getLogger(CommunityAdminFeature.class);
+
+    public final static String NAME = "isCommunityAdmin";
+
+    @Autowired
+    private AuthorizeService authorizeService;
+    @Autowired
+    private AuthorizeSolrService authorizeSolrService;
+
+    @Override
+    public boolean isAuthorized(Context context, BaseObjectRest object) throws SQLException {
+        if (object instanceof SiteRest) {
+            if (authorizeService.isAdmin(context)) {
+                return true;
+            }
+
+            return authorizeSolrService.isCommunityAdmin(context);
+        }
+        return false;
+    }
+
+    @Override
+    public String[] getSupportedTypes() {
+        return new String[]{
+            SiteRest.CATEGORY + "." + SiteRest.NAME
+        };
+    }
+}

dspace-server-webapp/src/main/java/org/dspace/app/rest/authorization/impl/ManageGroupsFeature.java

@@ -0,0 +1,72 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+package org.dspace.app.rest.authorization.impl;
+
+import java.sql.SQLException;
+
+import org.dspace.app.rest.authorization.AuthorizationFeature;
+import org.dspace.app.rest.authorization.AuthorizationFeatureDocumentation;
+import org.dspace.app.rest.model.BaseObjectRest;
+import org.dspace.app.rest.model.SiteRest;
+import org.dspace.authorize.AuthorizeConfiguration;
+import org.dspace.authorize.service.AuthorizeService;
+import org.dspace.authorize.service.AuthorizeSolrService;
+import org.dspace.core.Context;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Component;
+
+/**
+ * The Manage Groups Feature. It can be used to verify if the current user can manage groups in any community or
+ * collection in the site.
+ *
+ * Authorization is granted if the current user has ADMIN permissions for any Community or Collection anywhere in the
+ * site AND the corresponding core.authorization.* properties are set to true.
+ */
+@Component
+@AuthorizationFeatureDocumentation(name = ManageGroupsFeature.NAME, description =
+        "It can be used to verify if the current user can manage groups in any community or collection in the site")
+public class ManageGroupsFeature implements AuthorizationFeature {
+
+    public final static String NAME = "canManageGroups";
+
+    @Autowired
+    private AuthorizeService authorizeService;
+    @Autowired
+    private AuthorizeSolrService authorizeSolrService;
+
+    @Override
+    public boolean isAuthorized(Context context, BaseObjectRest object) throws SQLException {
+        if (object instanceof SiteRest) {
+            if (authorizeService.isAdmin(context)) {
+                return true;
+            }
+
+            if (authorizeSolrService.isCommunityAdmin(context) &&
+                (AuthorizeConfiguration.canCommunityAdminManagePolicies() ||
+                    AuthorizeConfiguration.canCommunityAdminManageAdminGroup())) {
+                return true;
+            }
+
+            if ((authorizeSolrService.isCollectionAdmin(context) &&
+                (AuthorizeConfiguration.canCommunityAdminManageCollectionPolicies() ||
+                    AuthorizeConfiguration.canCommunityAdminManageCollectionSubmitters() ||
+                    AuthorizeConfiguration.canCommunityAdminManageCollectionWorkflows() ||
+                    AuthorizeConfiguration.canCommunityAdminManageCollectionAdminGroup()))) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+    @Override
+    public String[] getSupportedTypes() {
+        return new String[]{
+            SiteRest.CATEGORY + "." + SiteRest.NAME
+        };
+    }
+}

dspace-server-webapp/src/main/java/org/dspace/app/rest/repository/CollectionRestRepository.java

@@ -38,6 +38,7 @@ import org.dspace.app.rest.utils.CollectionRestEqualityUtils;
 import org.dspace.app.util.AuthorizeUtil;
 import org.dspace.authorize.AuthorizeException;
 import org.dspace.authorize.service.AuthorizeService;
+import org.dspace.authorize.service.AuthorizeSolrService;
 import org.dspace.content.Bitstream;
 import org.dspace.content.Collection;
 import org.dspace.content.Community;
@@ -115,6 +116,9 @@ public class CollectionRestRepository extends DSpaceObjectRestRepository<Collect
     @Autowired
     SearchService searchService;
 
+    @Autowired
+    private AuthorizeSolrService authorizeSolrService;
+
     public CollectionRestRepository(CollectionService dsoService) {
         super(dsoService);
     }
@@ -200,6 +204,21 @@ public class CollectionRestRepository extends DSpaceObjectRestRepository<Collect
         }
     }
 
+    @SearchRestMethod(name = "findAdminAuthorized")
+    public Page<CollectionRest> findAdminAuthorized (
+        Pageable pageable, @Parameter(value = "query") String query) {
+        try {
+            Context context = obtainContext();
+            List<Collection> collections = authorizeSolrService.findAdminAuthorizedCollection(context, query,
+                Math.toIntExact(pageable.getOffset()),
+                Math.toIntExact(pageable.getPageSize()));
+            int tot = authorizeSolrService.countAdminAuthorizedCollection(context, query);
+            return converter.toRestPage(collections, pageable, tot , utils.obtainProjection());
+        } catch (SearchServiceException | SQLException e) {
+            throw new RuntimeException(e.getMessage(), e);
+        }
+    }
+
     @Override
     @PreAuthorize("hasPermission(#id, 'COLLECTION', 'WRITE')")
     protected void patch(Context context, HttpServletRequest request, String apiCategory, String model, UUID id,

dspace-server-webapp/src/main/java/org/dspace/app/rest/repository/CommunityRestRepository.java

@@ -20,6 +20,7 @@ import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.logging.log4j.Logger;
+import org.dspace.app.rest.Parameter;
 import org.dspace.app.rest.SearchRestMethod;
 import org.dspace.app.rest.exception.DSpaceBadRequestException;
 import org.dspace.app.rest.exception.RepositoryMethodNotImplementedException;
@@ -33,6 +34,7 @@ import org.dspace.app.rest.model.patch.Patch;
 import org.dspace.app.rest.utils.CommunityRestEqualityUtils;
 import org.dspace.authorize.AuthorizeException;
 import org.dspace.authorize.service.AuthorizeService;
+import org.dspace.authorize.service.AuthorizeSolrService;
 import org.dspace.content.Bitstream;
 import org.dspace.content.Community;
 import org.dspace.content.service.BitstreamService;
@@ -83,6 +85,9 @@ public class CommunityRestRepository extends DSpaceObjectRestRepository<Communit
 
     private CommunityService cs;
 
+    @Autowired
+    private AuthorizeSolrService authorizeSolrService;
+
     public CommunityRestRepository(CommunityService dsoService) {
         super(dsoService);
         this.cs = dsoService;
@@ -203,6 +208,21 @@ public class CommunityRestRepository extends DSpaceObjectRestRepository<Communit
         }
     }
 
+    @SearchRestMethod(name = "findAdminAuthorized")
+    public Page<CommunityRest> findAdminAuthorized (
+        Pageable pageable, @Parameter(value = "query") String query) {
+        try {
+            Context context = obtainContext();
+            List<Community> communities = authorizeSolrService.findAdminAuthorizedCommunity(context, query,
+                Math.toIntExact(pageable.getOffset()),
+                Math.toIntExact(pageable.getPageSize()));
+            int tot = authorizeSolrService.countAdminAuthorizedCommunity(context, query);
+            return converter.toRestPage(communities, pageable, tot , utils.obtainProjection());
+        } catch (SearchServiceException | SQLException e) {
+            throw new RuntimeException(e.getMessage(), e);
+        }
+    }
+
     @Override
     @PreAuthorize("hasPermission(#id, 'COMMUNITY', 'WRITE')")
     protected void patch(Context context, HttpServletRequest request, String apiCategory, String model, UUID id,

dspace-server-webapp/src/test/java/org/dspace/app/rest/authorization/CollectionAdminFeatureIT.java

@@ -0,0 +1,869 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+package org.dspace.app.rest.authorization;
+
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+import org.dspace.app.rest.matcher.CollectionMatcher;
+import org.dspace.app.rest.test.AbstractControllerIntegrationTest;
+import org.dspace.builder.CollectionBuilder;
+import org.dspace.builder.CommunityBuilder;
+import org.dspace.builder.EPersonBuilder;
+import org.dspace.builder.GroupBuilder;
+import org.dspace.builder.ResourcePolicyBuilder;
+import org.dspace.content.Collection;
+import org.dspace.content.Community;
+import org.dspace.content.service.SiteService;
+import org.dspace.core.Constants;
+import org.dspace.eperson.EPerson;
+import org.dspace.eperson.Group;
+import org.dspace.eperson.service.GroupService;
+import org.dspace.services.ConfigurationService;
+import org.hamcrest.Matchers;
+import org.junit.Before;
+import org.junit.Test;
+import org.springframework.beans.factory.annotation.Autowired;
+
+public class CollectionAdminFeatureIT extends AbstractControllerIntegrationTest {
+
+    @Autowired
+    private SiteService siteService;
+
+    @Autowired
+    private ConfigurationService configurationService;
+
+    @Autowired
+    private GroupService groupService;
+
+    private Community topLevelCommunityA;
+    private Community subCommunityA;
+    private Community communityB;
+    private Community communityC;
+    private Collection collectionA;
+    private Collection collectionB;
+    private Collection collectionC;
+
+    private EPerson topLevelCommunityAAdmin;
+    private EPerson subCommunityAAdmin;
+    private EPerson collectionAAdmin;
+    private EPerson submitter;
+
+    @Override
+    @Before
+    public void setUp() throws Exception {
+        super.setUp();
+
+        context.turnOffAuthorisationSystem();
+
+        topLevelCommunityAAdmin = EPersonBuilder.createEPerson(context)
+            .withNameInMetadata("Jhon", "Brown")
+            .withEmail("topLevelCommunityAAdmin@my.edu")
+            .withPassword(password)
+            .build();
+        topLevelCommunityA = CommunityBuilder.createCommunity(context)
+            .withName("The name of this community is topLevelCommunityA")
+            .withAdminGroup(topLevelCommunityAAdmin)
+            .build();
+
+        subCommunityAAdmin = EPersonBuilder.createEPerson(context)
+            .withNameInMetadata("Jhon", "Brown")
+            .withEmail("subCommunityAAdmin@my.edu")
+            .withPassword(password)
+            .build();
+        subCommunityA = CommunityBuilder.createCommunity(context)
+            .withName("The name of this sub-community is subCommunityA")
+            .withAdminGroup(subCommunityAAdmin)
+            .addParentCommunity(context, topLevelCommunityA)
+            .build();
+
+        submitter = EPersonBuilder.createEPerson(context)
+            .withNameInMetadata("Jhon", "Brown")
+            .withEmail("submitter@my.edu")
+            .withPassword(password)
+            .build();
+        collectionAAdmin = EPersonBuilder.createEPerson(context)
+            .withNameInMetadata("Jhon", "Brown")
+            .withEmail("collectionAAdmin@my.edu")
+            .withPassword(password)
+            .build();
+        collectionA = CollectionBuilder.createCollection(context, subCommunityA)
+            .withName("The name of this collection is collectionA")
+            .withAdminGroup(collectionAAdmin)
+            .withSubmitterGroup(submitter)
+            .build();
+
+        context.restoreAuthSystemState();
+
+        configurationService.setProperty(
+            "org.dspace.app.rest.authorization.AlwaysThrowExceptionFeature.turnoff", "true");
+    }
+
+    @Test
+    public void testAdmin() throws Exception {
+        String token = getAuthToken(admin.getEmail(), password);
+
+        // Verify the general admin has this feature
+        getClient(token).perform(get("/api/authz/authorizations/search/object?embed=feature&uri="
+            + "http://localhost/api/core/site/" + siteService.findSite(context).getID()))
+            .andExpect(status().isOk())
+            .andExpect(
+                jsonPath("$._embedded.authorizations[?(@._embedded.feature.id=='isCollectionAdmin')]")
+                    .exists());
+    }
+
+    @Test
+    public void testCommunityAdmin() throws Exception {
+        String token = getAuthToken(topLevelCommunityAAdmin.getEmail(), password);
+
+        // Verify the community admin has this feature
+        getClient(token).perform(get("/api/authz/authorizations/search/object?embed=feature&uri="
+            + "http://localhost/api/core/site/" + siteService.findSite(context).getID()))
+            .andExpect(status().isOk())
+            .andExpect(
+                jsonPath("$._embedded.authorizations[?(@._embedded.feature.id=='isCollectionAdmin')]")
+                    .exists());
+    }
+
+    @Test
+    public void testSubCommunityAdmin() throws Exception {
+        String token = getAuthToken(subCommunityAAdmin.getEmail(), password);
+
+        // Verify the subcommunity admin has this feature
+        getClient(token).perform(get("/api/authz/authorizations/search/object?embed=feature&uri="
+            + "http://localhost/api/core/site/" + siteService.findSite(context).getID()))
+            .andExpect(status().isOk())
+            .andExpect(
+                jsonPath("$._embedded.authorizations[?(@._embedded.feature.id=='isCollectionAdmin')]")
+                    .exists());
+    }
+
+    @Test
+    public void testCollectionAdmin() throws Exception {
+        String token = getAuthToken(collectionAAdmin.getEmail(), password);
+
+        // Verify the collection admin has this feature
+        getClient(token).perform(get("/api/authz/authorizations/search/object?embed=feature&uri="
+            + "http://localhost/api/core/site/" + siteService.findSite(context).getID()))
+            .andExpect(status().isOk())
+            .andExpect(
+                jsonPath("$._embedded.authorizations[?(@._embedded.feature.id=='isCollectionAdmin')]")
+                    .exists());
+    }
+
+    @Test
+    public void testSubmitter() throws Exception {
+        String token = getAuthToken(submitter.getEmail(), password);
+
+        // Verify a submitter doesn't have this feature
+        getClient(token).perform(get("/api/authz/authorizations/search/object?embed=feature&uri="
+            + "http://localhost/api/core/site/" + siteService.findSite(context).getID()))
+            .andExpect(status().isOk())
+            .andExpect(
+                jsonPath("$._embedded.authorizations[?(@._embedded.feature.id=='isCollectionAdmin')]")
+                    .doesNotExist());
+    }
+
+    @Test
+    public void testSubGroupOfAdminGroup() throws Exception {
+        context.turnOffAuthorisationSystem();
+        GroupBuilder.createGroup(context)
+            .withName("userGroup")
+            .withParent(groupService.findByName(context, Group.ADMIN))
+            .addMember(eperson)
+            .build();
+        context.restoreAuthSystemState();
+
+        String token = getAuthToken(eperson.getEmail(), password);
+
+        // Verify an ePerson in a subgroup of the site administrators has this feature
+        getClient(token).perform(get("/api/authz/authorizations/search/object?embed=feature&uri="
+            + "http://localhost/api/core/site/" + siteService.findSite(context).getID()))
+            .andExpect(status().isOk())
+            .andExpect(
+                jsonPath("$._embedded.authorizations[?(@._embedded.feature.id=='isCollectionAdmin')]")
+                    .exists());
+    }
+
+    @Test
+    public void testSubGroupOfCommunityAdminGroup() throws Exception {
+        context.turnOffAuthorisationSystem();
+        GroupBuilder.createGroup(context)
+            .withName("userGroup")
+            .withParent(groupService.findByName(context, "COMMUNITY_" + topLevelCommunityA.getID() + "_ADMIN"))
+            .addMember(eperson)
+            .build();
+        context.restoreAuthSystemState();
+
+        String token = getAuthToken(eperson.getEmail(), password);
+
+        // Verify an ePerson in a subgroup of a community admin group has this feature
+        getClient(token).perform(get("/api/authz/authorizations/search/object?embed=feature&uri="
+            + "http://localhost/api/core/site/" + siteService.findSite(context).getID()))
+            .andExpect(status().isOk())
+            .andExpect(
+                jsonPath("$._embedded.authorizations[?(@._embedded.feature.id=='isCollectionAdmin')]")
+                    .exists());
+    }
+
+    @Test
+    public void testSubGroupOfSubCommunityAdminGroup() throws Exception {
+        context.turnOffAuthorisationSystem();
+        GroupBuilder.createGroup(context)
+            .withName("userGroup")
+            .withParent(groupService.findByName(context, "COMMUNITY_" + subCommunityA.getID() + "_ADMIN"))
+            .addMember(eperson)
+            .build();
+        context.restoreAuthSystemState();
+
+        String token = getAuthToken(eperson.getEmail(), password);
+
+        // Verify an ePerson in a subgroup of a subcommunity admin group has this feature
+        getClient(token).perform(get("/api/authz/authorizations/search/object?embed=feature&uri="
+            + "http://localhost/api/core/site/" + siteService.findSite(context).getID()))
+            .andExpect(status().isOk())
+            .andExpect(
+                jsonPath("$._embedded.authorizations[?(@._embedded.feature.id=='isCollectionAdmin')]")
+                    .exists());
+    }
+
+    @Test
+    public void testSubGroupOfCollectionAdminGroup() throws Exception {
+        context.turnOffAuthorisationSystem();
+        GroupBuilder.createGroup(context)
+            .withName("userGroup")
+            .withParent(groupService.findByName(context, "COLLECTION_" + collectionA.getID() + "_ADMIN"))
+            .addMember(eperson)
+            .build();
+        context.restoreAuthSystemState();
+
+        String token = getAuthToken(eperson.getEmail(), password);
+
+        // Verify an ePerson in a subgroup of a collection admin group has this feature
+        getClient(token).perform(get("/api/authz/authorizations/search/object?embed=feature&uri="
+            + "http://localhost/api/core/site/" + siteService.findSite(context).getID()))
+            .andExpect(status().isOk())
+            .andExpect(
+                jsonPath("$._embedded.authorizations[?(@._embedded.feature.id=='isCollectionAdmin')]")
+                    .exists());
+    }
+
+    @Test
+    public void testSubGroupOfSubmitterGroup() throws Exception {
+        context.turnOffAuthorisationSystem();
+        GroupBuilder.createGroup(context)
+            .withName("userGroup")
+            .withParent(groupService.findByName(context, "COLLECTION_" + collectionA.getID() + "_SUBMIT"))
+            .addMember(eperson)
+            .build();
+        context.restoreAuthSystemState();
+
+        String token = getAuthToken(eperson.getEmail(), password);
+
+        // Verify an ePerson in a subgroup of submitter group doesn't have this feature
+        getClient(token).perform(get("/api/authz/authorizations/search/object?embed=feature&uri="
+            + "http://localhost/api/core/site/" + siteService.findSite(context).getID()))
+            .andExpect(status().isOk())
+            .andExpect(
+                jsonPath("$._embedded.authorizations[?(@._embedded.feature.id=='isCollectionAdmin')]")
+                    .doesNotExist());
+    }
+
+    @Test
+    public void testSubSubGroupOfAdminGroup() throws Exception {
+        context.turnOffAuthorisationSystem();
+        Group groupB = GroupBuilder.createGroup(context)
+            .withName("GroupB")
+            .withParent(groupService.findByName(context, Group.ADMIN))
+            .build();
+        GroupBuilder.createGroup(context)
+            .withName("GroupA")
+            .withParent(groupB)
+            .addMember(eperson)
+            .build();
+        context.restoreAuthSystemState();
+
+        String token = getAuthToken(eperson.getEmail(), password);
+
+        // Verify an ePerson in a sub-subgroup of the site administrators has this feature
+        getClient(token).perform(get("/api/authz/authorizations/search/object?embed=feature&uri="
+            + "http://localhost/api/core/site/" + siteService.findSite(context).getID()))
+            .andExpect(status().isOk())
+            .andExpect(
+                jsonPath("$._embedded.authorizations[?(@._embedded.feature.id=='isCollectionAdmin')]")
+                    .exists());
+    }
+
+    @Test
+    public void testSubSubGroupOfCommunityAdminGroup() throws Exception {
+        context.turnOffAuthorisationSystem();
+        Group groupB = GroupBuilder.createGroup(context)
+            .withName("GroupB")
+            .withParent(groupService.findByName(context, "COMMUNITY_" + topLevelCommunityA.getID() + "_ADMIN"))
+            .build();
+        GroupBuilder.createGroup(context)
+            .withName("GroupA")
+            .withParent(groupB)
+            .addMember(eperson)
+            .build();
+        context.restoreAuthSystemState();
+
+        String token = getAuthToken(eperson.getEmail(), password);
+
+        // Verify an ePerson in a sub-subgroup of a community admin group has this feature
+        getClient(token).perform(get("/api/authz/authorizations/search/object?embed=feature&uri="
+            + "http://localhost/api/core/site/" + siteService.findSite(context).getID()))
+            .andExpect(status().isOk())
+            .andExpect(
+                jsonPath("$._embedded.authorizations[?(@._embedded.feature.id=='isCollectionAdmin')]")
+                    .exists());
+    }
+
+    @Test
+    public void testSubSubGroupOfSubCommunityAdminGroup() throws Exception {
+        context.turnOffAuthorisationSystem();
+        Group groupB = GroupBuilder.createGroup(context)
+            .withName("GroupB")
+            .withParent(groupService.findByName(context, "COMMUNITY_" + subCommunityA.getID() + "_ADMIN"))
+            .build();
+        GroupBuilder.createGroup(context)
+            .withName("GroupA")
+            .withParent(groupB)
+            .addMember(eperson)
+            .build();
+        context.restoreAuthSystemState();
+
+        String token = getAuthToken(eperson.getEmail(), password);
+
+        // Verify an ePerson in a sub-subgroup of a subcommunity admin group has this feature
+        getClient(token).perform(get("/api/authz/authorizations/search/object?embed=feature&uri="
+            + "http://localhost/api/core/site/" + siteService.findSite(context).getID()))
+            .andExpect(status().isOk())
+            .andExpect(
+                jsonPath("$._embedded.authorizations[?(@._embedded.feature.id=='isCollectionAdmin')]")
+                    .exists());
+    }
+
+    @Test
+    public void testSubSubGroupOfCollectionAdminGroup() throws Exception {
+        context.turnOffAuthorisationSystem();
+        Group groupB = GroupBuilder.createGroup(context)
+            .withName("GroupB")
+            .withParent(groupService.findByName(context, "COLLECTION_" + collectionA.getID() + "_ADMIN"))
+            .build();
+        GroupBuilder.createGroup(context)
+            .withName("GroupA")
+            .withParent(groupB)
+            .addMember(eperson)
+            .build();
+        context.restoreAuthSystemState();
+
+        String token = getAuthToken(eperson.getEmail(), password);
+
+        // Verify an ePerson in a sub-subgroup of a collection admin group has this feature
+        getClient(token).perform(get("/api/authz/authorizations/search/object?embed=feature&uri="
+            + "http://localhost/api/core/site/" + siteService.findSite(context).getID()))
+            .andExpect(status().isOk())
+            .andExpect(
+                jsonPath("$._embedded.authorizations[?(@._embedded.feature.id=='isCollectionAdmin')]")
+                    .exists());
+    }
+
+    @Test
+    public void testSubSubGroupOfSubmitterGroup() throws Exception {
+        context.turnOffAuthorisationSystem();
+        Group groupB = GroupBuilder.createGroup(context)
+            .withName("GroupB")
+            .withParent(groupService.findByName(context, "COLLECTION_" + collectionA.getID() + "_SUBMIT"))
+            .build();
+        GroupBuilder.createGroup(context)
+            .withName("GroupA")
+            .withParent(groupB)
+            .addMember(eperson)
+            .build();
+        context.restoreAuthSystemState();
+
+        String token = getAuthToken(eperson.getEmail(), password);
+
+        // Verify an ePerson in a sub-subgroup of submitter group doesn't have this feature
+        getClient(token).perform(get("/api/authz/authorizations/search/object?embed=feature&uri="
+            + "http://localhost/api/core/site/" + siteService.findSite(context).getID()))
+            .andExpect(status().isOk())
+            .andExpect(
+                jsonPath("$._embedded.authorizations[?(@._embedded.feature.id=='isCollectionAdmin')]")
+                    .doesNotExist());
+    }
+
+    // findAdminAuthorized
+    @Test
+    public void testAdminSearch() throws Exception {
+        context.turnOffAuthorisationSystem();
+        communityB = CommunityBuilder.createCommunity(context)
+            .withName("topLevelCommunityB is a very original name")
+            .withAdminGroup(admin)
+            .build();
+        communityC = CommunityBuilder.createCommunity(context)
+            .withName("the last community is named topLevelCommunityC")
+            .build();
+        collectionB = CollectionBuilder.createCollection(context, subCommunityA)
+            .withName("collectionB is a very original name")
+            .build();
+        collectionC = CollectionBuilder.createCollection(context, communityC)
+            .withName("the last collection is collectionC")
+            .build();
+        ResourcePolicyBuilder.createResourcePolicy(context)
+            .withDspaceObject(collectionA)
+            .withAction(Constants.ADMIN)
+            .withUser(admin)
+            .build();
+        ResourcePolicyBuilder.createResourcePolicy(context)
+            .withDspaceObject(collectionB)
+            .withAction(Constants.ADMIN)
+            .withUser(admin)
+            .build();
+        context.restoreAuthSystemState();
+        String token = getAuthToken(admin.getEmail(), password);
+
+        // Verify the site admin gets all collections
+        getClient(token).perform(get("/api/core/collections/search/findAdminAuthorized"))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$._embedded.collections", Matchers.containsInAnyOrder(
+                CollectionMatcher.matchProperties(collectionA.getName(), collectionA.getID(), collectionA.getHandle()),
+                CollectionMatcher.matchProperties(collectionB.getName(), collectionB.getID(), collectionB.getHandle()),
+                CollectionMatcher.matchProperties(collectionC.getName(), collectionC.getID(), collectionC.getHandle())
+            )));
+
+        // Verify the search only shows dso's which according to the query
+        getClient(token).perform(get("/api/core/collections/search/findAdminAuthorized")
+            .param("query", collectionB.getName()))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$._embedded.collections", Matchers.containsInAnyOrder(
+                CollectionMatcher.matchProperties(collectionB.getName(), collectionB.getID(), collectionB.getHandle())
+            )));
+    }
+
+    @Test
+    public void testCommunityAdminSearch() throws Exception {
+        context.turnOffAuthorisationSystem();
+        communityB = CommunityBuilder.createCommunity(context)
+            .withName("topLevelCommunityB is a very original name")
+            .withAdminGroup(topLevelCommunityAAdmin)
+            .build();
+        communityC = CommunityBuilder.createCommunity(context)
+            .withName("the last community is named topLevelCommunityC")
+            .build();
+        collectionB = CollectionBuilder.createCollection(context, topLevelCommunityA)
+            .withName("collectionB is a very original name")
+            .build();
+        collectionC = CollectionBuilder.createCollection(context, communityC)
+            .withName("the last collection is collectionC")
+            .build();
+        context.restoreAuthSystemState();
+        String token = getAuthToken(topLevelCommunityAAdmin.getEmail(), password);
+
+        // Verify the community admin gets all the communities he's admin for
+        getClient(token).perform(get("/api/core/collections/search/findAdminAuthorized"))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$._embedded.collections", Matchers.containsInAnyOrder(
+                CollectionMatcher.matchProperties(collectionA.getName(), collectionA.getID(), collectionA.getHandle()),
+                CollectionMatcher.matchProperties(collectionB.getName(), collectionB.getID(), collectionB.getHandle())
+            )));
+
+        // Verify the search only shows dso's which according to the query
+        getClient(token).perform(get("/api/core/collections/search/findAdminAuthorized")
+            .param("query", collectionB.getName()))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$._embedded.collections", Matchers.containsInAnyOrder(
+                CollectionMatcher.matchProperties(collectionB.getName(), collectionB.getID(), collectionB.getHandle())
+            )));
+
+        // Verify that a query doesn't show dso's which the user doesn't have rights for
+        getClient(token).perform(get("/api/core/collections/search/findAdminAuthorized")
+            .param("query", collectionC.getName()))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$._embedded.collections").doesNotExist());
+    }
+
+    @Test
+    public void testSubCommunityAdminSearch() throws Exception {
+        context.turnOffAuthorisationSystem();
+        communityB = CommunityBuilder.createCommunity(context)
+            .withName("topLevelCommunityB is a very original name")
+            .addParentCommunity(context, subCommunityA)
+            .build();
+        communityC = CommunityBuilder.createCommunity(context)
+            .withName("the last community is topLevelCommunityC")
+            .build();
+        collectionB = CollectionBuilder.createCollection(context, communityB)
+            .withName("collectionB is a very original name")
+            .build();
+        collectionC = CollectionBuilder.createCollection(context, communityC)
+            .withName("the last collection is collectionC")
+            .build();
+        context.restoreAuthSystemState();
+
+        String token = getAuthToken(subCommunityAAdmin.getEmail(), password);
+
+        // Verify the subcommunity admin gets all the communities he's admin for
+        getClient(token).perform(get("/api/core/collections/search/findAdminAuthorized"))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$._embedded.collections", Matchers.containsInAnyOrder(
+                CollectionMatcher.matchProperties(collectionA.getName(), collectionA.getID(), collectionA.getHandle()),
+                CollectionMatcher.matchProperties(collectionB.getName(), collectionB.getID(), collectionB.getHandle())
+            )));
+
+        // Verify the search only shows dso's which according to the query
+        getClient(token).perform(get("/api/core/collections/search/findAdminAuthorized")
+            .param("query", collectionB.getName()))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$._embedded.collections", Matchers.containsInAnyOrder(
+                CollectionMatcher.matchProperties(collectionB.getName(), collectionB.getID(), collectionB.getHandle())
+            )));
+
+        // Verify that a query doesn't show dso's which the user doesn't have rights for
+        getClient(token).perform(get("/api/core/collections/search/findAdminAuthorized")
+            .param("query", collectionC.getName()))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$._embedded.collections").doesNotExist());
+    }
+
+    @Test
+    public void testCollectionAdminSearch() throws Exception {
+        context.turnOffAuthorisationSystem();
+        communityB = CommunityBuilder.createCommunity(context)
+            .withName("topLevelCommunityB is a very original name")
+            .addParentCommunity(context, subCommunityA)
+            .build();
+        communityC = CommunityBuilder.createCommunity(context)
+            .withName("the last community is topLevelCommunityC")
+            .build();
+        collectionB = CollectionBuilder.createCollection(context, communityB)
+            .withName("collectionB is a very original name")
+            .withAdminGroup(collectionAAdmin)
+            .build();
+        collectionC = CollectionBuilder.createCollection(context, communityC)
+            .withName("the last collection is collectionC")
+            .build();
+        context.restoreAuthSystemState();
+
+        String token = getAuthToken(collectionAAdmin.getEmail(), password);
+
+        // Verify the collection admin gets all the communities he's admin for
+        getClient(token).perform(get("/api/core/collections/search/findAdminAuthorized"))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$._embedded.collections", Matchers.containsInAnyOrder(
+                CollectionMatcher.matchProperties(collectionA.getName(), collectionA.getID(), collectionA.getHandle()),
+                CollectionMatcher.matchProperties(collectionB.getName(), collectionB.getID(), collectionB.getHandle())
+            )));
+
+        // Verify the search only shows dso's which according to the query
+        getClient(token).perform(get("/api/core/collections/search/findAdminAuthorized")
+            .param("query", collectionB.getName()))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$._embedded.collections", Matchers.containsInAnyOrder(
+                CollectionMatcher.matchProperties(collectionB.getName(), collectionB.getID(), collectionB.getHandle())
+            )));
+
+        // Verify that a query doesn't show dso's which the user doesn't have rights for
+        getClient(token).perform(get("/api/core/collections/search/findAdminAuthorized")
+            .param("query", collectionC.getName()))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$._embedded.collections").doesNotExist());
+    }
+
+    @Test
+    public void testSubmitterSearch() throws Exception {
+        context.turnOffAuthorisationSystem();
+        communityB = CommunityBuilder.createCommunity(context)
+            .withName("topLevelCommunityB is a very original name")
+            .addParentCommunity(context, subCommunityA)
+            .build();
+        communityC = CommunityBuilder.createCommunity(context)
+            .withName("the last community is topLevelCommunityC")
+            .build();
+        collectionB = CollectionBuilder.createCollection(context, communityB)
+            .withName("collectionB is a very original name")
+            .withSubmitterGroup(submitter)
+            .withAdminGroup(collectionAAdmin)
+            .build();
+        collectionC = CollectionBuilder.createCollection(context, communityC)
+            .withName("the last collection is collectionC")
+            .build();
+        context.restoreAuthSystemState();
+        String token = getAuthToken(submitter.getEmail(), password);
+
+        // Verify the submitter doesn't have any matches for collections
+        getClient(token).perform(get("/api/core/collections/search/findAdminAuthorized"))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$._embedded.collections").doesNotExist());
+
+        // Verify the search only shows dso's which according to the query
+        getClient(token).perform(get("/api/core/collections/search/findAdminAuthorized")
+            .param("query", collectionB.getName()))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$._embedded.collections").doesNotExist());
+
+        // Verify that a query doesn't show dso's which the user doesn't have rights for
+        getClient(token).perform(get("/api/core/collections/search/findAdminAuthorized")
+            .param("query", collectionC.getName()))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$._embedded.collections").doesNotExist());
+    }
+
+    @Test
+    public void testSubGroupOfAdminGroupSearch() throws Exception {
+        context.turnOffAuthorisationSystem();
+        GroupBuilder.createGroup(context)
+            .withName("adminSubGroup")
+            .withParent(groupService.findByName(context, Group.ADMIN))
+            .addMember(eperson)
+            .build();
+        communityB = CommunityBuilder.createCommunity(context)
+            .withName("topLevelCommunityB is a very original name")
+            .build();
+        communityC = CommunityBuilder.createCommunity(context)
+            .withName("the last community is topLevelCommunityC")
+            .build();
+        collectionB = CollectionBuilder.createCollection(context, subCommunityA)
+            .withName("collectionB is a very original name")
+            .build();
+        collectionC = CollectionBuilder.createCollection(context, communityC)
+            .withName("the last collection is collectionC")
+            .build();
+        context.restoreAuthSystemState();
+
+        String token = getAuthToken(eperson.getEmail(), password);
+
+        // Verify the site admins' subgroups members get all collections
+        getClient(token).perform(get("/api/core/collections/search/findAdminAuthorized"))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$._embedded.collections", Matchers.containsInAnyOrder(
+                CollectionMatcher.matchProperties(collectionA.getName(), collectionA.getID(), collectionA.getHandle()),
+                CollectionMatcher.matchProperties(collectionB.getName(), collectionB.getID(), collectionB.getHandle()),
+                CollectionMatcher.matchProperties(collectionC.getName(), collectionC.getID(), collectionC.getHandle())
+            )));
+
+        // Verify the search only shows dso's which according to the query
+        getClient(token).perform(get("/api/core/collections/search/findAdminAuthorized")
+            .param("query", collectionB.getName()))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$._embedded.collections", Matchers.containsInAnyOrder(
+                CollectionMatcher.matchProperties(collectionB.getName(), collectionB.getID(), collectionB.getHandle())
+            )));
+    }
+
+    @Test
+    public void testSubGroupOfCommunityAdminGroupSearch() throws Exception {
+        context.turnOffAuthorisationSystem();
+        GroupBuilder.createGroup(context)
+            .withName("communityAdminSubGroup")
+            .withParent(groupService.findByName(context, "COMMUNITY_" + topLevelCommunityA.getID() + "_ADMIN"))
+            .addMember(eperson)
+            .build();
+        communityB = CommunityBuilder.createCommunity(context)
+            .withName("topLevelCommunityB is a very original name")
+            .build();
+        communityC = CommunityBuilder.createCommunity(context)
+            .withName("the last community is topLevelCommunityC")
+            .build();
+        ResourcePolicyBuilder.createResourcePolicy(context)
+            .withDspaceObject(communityB)
+            .withAction(Constants.ADMIN)
+            .withGroup(groupService.findByName(context, "COMMUNITY_" + topLevelCommunityA.getID() + "_ADMIN"))
+            .build();
+        collectionB = CollectionBuilder.createCollection(context, subCommunityA)
+            .withName("collectionB is a very original name")
+            .build();
+        collectionC = CollectionBuilder.createCollection(context, communityC)
+            .withName("the last collection is collectionC")
+            .build();
+        context.restoreAuthSystemState();
+
+        String token = getAuthToken(eperson.getEmail(), password);
+
+        // Verify an ePerson in a subgroup of a community admin group gets all the collections he's admin for
+        getClient(token).perform(get("/api/core/collections/search/findAdminAuthorized"))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$._embedded.collections", Matchers.containsInAnyOrder(
+                CollectionMatcher.matchProperties(collectionA.getName(), collectionA.getID(), collectionA.getHandle()),
+                CollectionMatcher.matchProperties(collectionB.getName(), collectionB.getID(), collectionB.getHandle())
+            )));
+
+        // Verify the search only shows dso's which according to the query
+        getClient(token).perform(get("/api/core/collections/search/findAdminAuthorized")
+            .param("query", collectionB.getName()))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$._embedded.collections", Matchers.containsInAnyOrder(
+                CollectionMatcher.matchProperties(collectionB.getName(), collectionB.getID(), collectionB.getHandle())
+            )));
+
+        // Verify that a query doesn't show dso's which the user doesn't have rights for
+        getClient(token).perform(get("/api/core/collections/search/findAdminAuthorized")
+            .param("query", collectionC.getName()))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$._embedded.collections").doesNotExist());
+    }
+
+    @Test
+    public void testSubGroupOfSubCommunityAdminGroupSearch() throws Exception {
+        context.turnOffAuthorisationSystem();
+        GroupBuilder.createGroup(context)
+            .withName("communityAdminSubGroup")
+            .withParent(groupService.findByName(context, "COMMUNITY_" + subCommunityA.getID() + "_ADMIN"))
+            .addMember(eperson)
+            .build();
+        communityB = CommunityBuilder.createCommunity(context)
+            .withName("topLevelCommunityB is a very original name")
+            .addParentCommunity(context, topLevelCommunityA)
+            .build();
+        communityC = CommunityBuilder.createCommunity(context)
+            .withName("the last community is topLevelCommunityC")
+            .addParentCommunity(context, topLevelCommunityA)
+            .build();
+        ResourcePolicyBuilder.createResourcePolicy(context)
+            .withDspaceObject(communityB)
+            .withAction(Constants.ADMIN)
+            .withGroup(groupService.findByName(context, "COMMUNITY_" + subCommunityA.getID() + "_ADMIN"))
+            .build();
+        collectionB = CollectionBuilder.createCollection(context, subCommunityA)
+            .withName("collectionB is a very original name")
+            .build();
+        collectionC = CollectionBuilder.createCollection(context, communityC)
+            .withName("the last collection is collectionC")
+            .build();
+        context.restoreAuthSystemState();
+
+        String token = getAuthToken(eperson.getEmail(), password);
+
+        // Verify an ePerson in a subgroup of a subcommunity admin group gets all the collections he's admin for
+        getClient(token).perform(get("/api/core/collections/search/findAdminAuthorized"))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$._embedded.collections", Matchers.containsInAnyOrder(
+                CollectionMatcher.matchProperties(collectionA.getName(), collectionA.getID(), collectionA.getHandle()),
+                CollectionMatcher.matchProperties(collectionB.getName(), collectionB.getID(), collectionB.getHandle())
+            )));
+
+        // Verify the search only shows dso's which according to the query
+        getClient(token).perform(get("/api/core/collections/search/findAdminAuthorized")
+            .param("query", collectionB.getName()))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$._embedded.collections", Matchers.containsInAnyOrder(
+                CollectionMatcher.matchProperties(collectionB.getName(), collectionB.getID(), collectionB.getHandle())
+            )));
+
+        // Verify that a query doesn't show dso's which the user doesn't have rights for
+        getClient(token).perform(get("/api/core/collections/search/findAdminAuthorized")
+            .param("query", collectionC.getName()))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$._embedded.collections").doesNotExist());
+    }
+
+    @Test
+    public void testSubGroupOfCollectionAdminGroupSearch() throws Exception {
+        context.turnOffAuthorisationSystem();
+        GroupBuilder.createGroup(context)
+            .withName("collectionAdminSubGroup")
+            .withParent(groupService.findByName(context, "COLLECTION_" + collectionA.getID() + "_ADMIN"))
+            .addMember(eperson)
+            .build();
+        communityB = CommunityBuilder.createCommunity(context)
+            .withName("topLevelCommunityB is a very original name")
+            .addParentCommunity(context, topLevelCommunityA)
+            .build();
+        communityC = CommunityBuilder.createCommunity(context)
+            .withName("the last community is topLevelCommunityC")
+            .addParentCommunity(context, topLevelCommunityA)
+            .build();
+        collectionB = CollectionBuilder.createCollection(context, communityB)
+            .withName("collectionB is a very original name")
+            .build();
+        collectionC = CollectionBuilder.createCollection(context, communityC)
+            .withName("the last collection is collectionC")
+            .build();
+        ResourcePolicyBuilder.createResourcePolicy(context)
+            .withDspaceObject(collectionB)
+            .withAction(Constants.ADMIN)
+            .withGroup(groupService.findByName(context, "COLLECTION_" + collectionA.getID() + "_ADMIN"))
+            .build();
+        context.restoreAuthSystemState();
+
+        String token = getAuthToken(eperson.getEmail(), password);
+
+        // Verify an ePerson in a subgroup of a collection admin group gets all the collections he's admin for
+        getClient(token).perform(get("/api/core/collections/search/findAdminAuthorized"))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$._embedded.collections", Matchers.containsInAnyOrder(
+                CollectionMatcher.matchProperties(collectionA.getName(), collectionA.getID(), collectionA.getHandle()),
+                CollectionMatcher.matchProperties(collectionB.getName(), collectionB.getID(), collectionB.getHandle())
+            )));
+
+        // Verify the search only shows dso's which according to the query
+        getClient(token).perform(get("/api/core/collections/search/findAdminAuthorized")
+            .param("query", collectionB.getName()))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$._embedded.collections", Matchers.containsInAnyOrder(
+                CollectionMatcher.matchProperties(collectionB.getName(), collectionB.getID(), collectionB.getHandle())
+            )));
+
+        // Verify that a query doesn't show dso's which the user doesn't have rights for
+        getClient(token).perform(get("/api/core/collections/search/findAdminAuthorized")
+            .param("query", collectionC.getName()))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$._embedded.collections").doesNotExist());
+    }
+
+    @Test
+    public void testSubGroupOfSubmitterGroupSearch() throws Exception {
+        context.turnOffAuthorisationSystem();
+        GroupBuilder.createGroup(context)
+            .withName("collectionAdminSubGroup")
+            .withParent(groupService.findByName(context, "COLLECTION_" + collectionA.getID() + "_SUBMIT"))
+            .addMember(eperson)
+            .build();
+        communityB = CommunityBuilder.createCommunity(context)
+            .withName("topLevelCommunityB is a very original name")
+            .addParentCommunity(context, topLevelCommunityA)
+            .build();
+        communityC = CommunityBuilder.createCommunity(context)
+            .withName("the last community is topLevelCommunityC")
+            .addParentCommunity(context, topLevelCommunityA)
+            .build();
+        collectionB = CollectionBuilder.createCollection(context, communityB)
+            .withName("collectionB is a very original name")
+            .build();
+        ResourcePolicyBuilder.createResourcePolicy(context)
+            .withDspaceObject(collectionB)
+            .withAction(Constants.ADD)
+            .withGroup(groupService.findByName(context, "COLLECTION_" + collectionA.getID() + "_SUBMIT"))
+            .build();
+        collectionC = CollectionBuilder.createCollection(context, communityC)
+            .withName("the last collection is collectionC")
+            .build();
+        context.restoreAuthSystemState();
+
+        String token = getAuthToken(eperson.getEmail(), password);
+
+        // Verify an ePerson in a subgroup of submitter group doesn't have any matches for collections
+        getClient(token).perform(get("/api/core/collections/search/findAdminAuthorized"))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$._embedded.collections").doesNotExist());
+
+        // Verify the search only shows dso's which according to the query
+        getClient(token).perform(get("/api/core/collections/search/findAdminAuthorized")
+            .param("query", collectionB.getName()))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$._embedded.collections").doesNotExist());
+
+        // Verify that a query doesn't show dso's which the user doesn't have rights for
+        getClient(token).perform(get("/api/core/collections/search/findAdminAuthorized")
+            .param("query", collectionC.getName()))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$._embedded.collections").doesNotExist());
+    }
+}

dspace-server-webapp/src/test/java/org/dspace/app/rest/authorization/ComColAdminFeatureIT.java

@@ -0,0 +1,394 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+package org.dspace.app.rest.authorization;
+
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+import org.dspace.app.rest.test.AbstractControllerIntegrationTest;
+import org.dspace.builder.CollectionBuilder;
+import org.dspace.builder.CommunityBuilder;
+import org.dspace.builder.EPersonBuilder;
+import org.dspace.builder.GroupBuilder;
+import org.dspace.content.Collection;
+import org.dspace.content.Community;
+import org.dspace.content.service.SiteService;
+import org.dspace.eperson.EPerson;
+import org.dspace.eperson.Group;
+import org.dspace.eperson.service.GroupService;
+import org.dspace.services.ConfigurationService;
+import org.junit.Before;
+import org.junit.Test;
+import org.springframework.beans.factory.annotation.Autowired;
+
+public class ComColAdminFeatureIT extends AbstractControllerIntegrationTest {
+
+    @Autowired
+    private SiteService siteService;
+
+    @Autowired
+    private ConfigurationService configurationService;
+
+    @Autowired
+    private GroupService groupService;
+
+    private Community topLevelCommunity;
+    private Community subCommunity;
+    private Collection collection;
+
+    private EPerson communityAdmin;
+    private EPerson subCommunityAdmin;
+    private EPerson collectionAdmin;
+    private EPerson submitter;
+
+    @Override
+    @Before
+    public void setUp() throws Exception {
+        super.setUp();
+
+        context.turnOffAuthorisationSystem();
+
+        communityAdmin = EPersonBuilder.createEPerson(context)
+            .withNameInMetadata("Jhon", "Brown")
+            .withEmail("communityAdmin@my.edu")
+            .withPassword(password)
+            .build();
+        topLevelCommunity = CommunityBuilder.createCommunity(context)
+            .withName("topLevelCommunity")
+            .withAdminGroup(communityAdmin)
+            .build();
+
+        subCommunityAdmin = EPersonBuilder.createEPerson(context)
+            .withNameInMetadata("Jhon", "Brown")
+            .withEmail("subCommunityAdmin@my.edu")
+            .withPassword(password)
+            .build();
+        subCommunity = CommunityBuilder.createCommunity(context)
+            .withName("subCommunity")
+            .withAdminGroup(subCommunityAdmin)
+            .addParentCommunity(context, topLevelCommunity)
+            .build();
+
+        submitter = EPersonBuilder.createEPerson(context)
+            .withNameInMetadata("Jhon", "Brown")
+            .withEmail("submitter@my.edu")
+            .withPassword(password)
+            .build();
+        collectionAdmin = EPersonBuilder.createEPerson(context)
+            .withNameInMetadata("Jhon", "Brown")
+            .withEmail("collectionAdmin@my.edu")
+            .withPassword(password)
+            .build();
+        collection = CollectionBuilder.createCollection(context, subCommunity)
+            .withName("collection")
+            .withAdminGroup(collectionAdmin)
+            .withSubmitterGroup(submitter)
+            .build();
+
+        context.restoreAuthSystemState();
+
+        configurationService.setProperty(
+            "org.dspace.app.rest.authorization.AlwaysThrowExceptionFeature.turnoff", "true");
+    }
+
+    @Test
+    public void testAdmin() throws Exception {
+        String token = getAuthToken(admin.getEmail(), password);
+
+        // Verify the general admin has this feature
+        getClient(token).perform(get("/api/authz/authorizations/search/object?embed=feature&uri="
+            + "http://localhost/api/core/site/" + siteService.findSite(context).getID()))
+            .andExpect(status().isOk())
+            .andExpect(
+                jsonPath("$._embedded.authorizations[?(@._embedded.feature.id=='isComColAdmin')]")
+                    .exists());
+    }
+
+    @Test
+    public void testCommunityAdmin() throws Exception {
+        String token = getAuthToken(communityAdmin.getEmail(), password);
+
+        // Verify the community admin has this feature
+        getClient(token).perform(get("/api/authz/authorizations/search/object?embed=feature&uri="
+            + "http://localhost/api/core/site/" + siteService.findSite(context).getID()))
+            .andExpect(status().isOk())
+            .andExpect(
+                jsonPath("$._embedded.authorizations[?(@._embedded.feature.id=='isComColAdmin')]")
+                    .exists());
+    }
+
+    @Test
+    public void testSubCommunityAdmin() throws Exception {
+        String token = getAuthToken(subCommunityAdmin.getEmail(), password);
+
+        // Verify the subcommunity admin has this feature
+        getClient(token).perform(get("/api/authz/authorizations/search/object?embed=feature&uri="
+            + "http://localhost/api/core/site/" + siteService.findSite(context).getID()))
+            .andExpect(status().isOk())
+            .andExpect(
+                jsonPath("$._embedded.authorizations[?(@._embedded.feature.id=='isComColAdmin')]")
+                    .exists());
+    }
+
+    @Test
+    public void testCollectionAdmin() throws Exception {
+        String token = getAuthToken(collectionAdmin.getEmail(), password);
+
+        // Verify the collection admin has this feature
+        getClient(token).perform(get("/api/authz/authorizations/search/object?embed=feature&uri="
+            + "http://localhost/api/core/site/" + siteService.findSite(context).getID()))
+            .andExpect(status().isOk())
+            .andExpect(
+                jsonPath("$._embedded.authorizations[?(@._embedded.feature.id=='isComColAdmin')]")
+                    .exists());
+    }
+
+    @Test
+    public void testSubmitter() throws Exception {
+        String token = getAuthToken(submitter.getEmail(), password);
+
+        // Verify a submitter doesn't have this feature
+        getClient(token).perform(get("/api/authz/authorizations/search/object?embed=feature&uri="
+            + "http://localhost/api/core/site/" + siteService.findSite(context).getID()))
+            .andExpect(status().isOk())
+            .andExpect(
+                jsonPath("$._embedded.authorizations[?(@._embedded.feature.id=='isComColAdmin')]")
+                    .doesNotExist());
+    }
+
+    @Test
+    public void testSubGroupOfAdminGroup() throws Exception {
+        context.turnOffAuthorisationSystem();
+        GroupBuilder.createGroup(context)
+            .withName("userGroup")
+            .withParent(groupService.findByName(context, Group.ADMIN))
+            .addMember(eperson)
+            .build();
+        context.restoreAuthSystemState();
+
+        String token = getAuthToken(eperson.getEmail(), password);
+
+        // Verify an ePerson in a subgroup of the site administrators has this feature
+        getClient(token).perform(get("/api/authz/authorizations/search/object?embed=feature&uri="
+            + "http://localhost/api/core/site/" + siteService.findSite(context).getID()))
+            .andExpect(status().isOk())
+            .andExpect(
+                jsonPath("$._embedded.authorizations[?(@._embedded.feature.id=='isComColAdmin')]")
+                    .exists());
+    }
+
+    @Test
+    public void testSubGroupOfCommunityAdminGroup() throws Exception {
+        context.turnOffAuthorisationSystem();
+        GroupBuilder.createGroup(context)
+            .withName("userGroup")
+            .withParent(groupService.findByName(context, "COMMUNITY_" + topLevelCommunity.getID() + "_ADMIN"))
+            .addMember(eperson)
+            .build();
+        context.restoreAuthSystemState();
+
+        String token = getAuthToken(eperson.getEmail(), password);
+
+        // Verify an ePerson in a subgroup of a community admin group has this feature
+        getClient(token).perform(get("/api/authz/authorizations/search/object?embed=feature&uri="
+            + "http://localhost/api/core/site/" + siteService.findSite(context).getID()))
+            .andExpect(status().isOk())
+            .andExpect(
+                jsonPath("$._embedded.authorizations[?(@._embedded.feature.id=='isComColAdmin')]")
+                    .exists());
+    }
+
+    @Test
+    public void testSubGroupOfSubCommunityAdminGroup() throws Exception {
+        context.turnOffAuthorisationSystem();
+        GroupBuilder.createGroup(context)
+            .withName("userGroup")
+            .withParent(groupService.findByName(context, "COMMUNITY_" + subCommunity.getID() + "_ADMIN"))
+            .addMember(eperson)
+            .build();
+        context.restoreAuthSystemState();
+
+        String token = getAuthToken(eperson.getEmail(), password);
+
+        // Verify an ePerson in a subgroup of a subcommunity admin group has this feature
+        getClient(token).perform(get("/api/authz/authorizations/search/object?embed=feature&uri="
+            + "http://localhost/api/core/site/" + siteService.findSite(context).getID()))
+            .andExpect(status().isOk())
+            .andExpect(
+                jsonPath("$._embedded.authorizations[?(@._embedded.feature.id=='isComColAdmin')]")
+                    .exists());
+    }
+
+    @Test
+    public void testSubGroupOfCollectionAdminGroup() throws Exception {
+        context.turnOffAuthorisationSystem();
+        GroupBuilder.createGroup(context)
+            .withName("userGroup")
+            .withParent(groupService.findByName(context, "COLLECTION_" + collection.getID() + "_ADMIN"))
+            .addMember(eperson)
+            .build();
+        context.restoreAuthSystemState();
+
+        String token = getAuthToken(eperson.getEmail(), password);
+
+        // Verify an ePerson in a subgroup of a collection admin group has this feature
+        getClient(token).perform(get("/api/authz/authorizations/search/object?embed=feature&uri="
+            + "http://localhost/api/core/site/" + siteService.findSite(context).getID()))
+            .andExpect(status().isOk())
+            .andExpect(
+                jsonPath("$._embedded.authorizations[?(@._embedded.feature.id=='isComColAdmin')]")
+                    .exists());
+    }
+
+    @Test
+    public void testSubGroupOfSubmitterGroup() throws Exception {
+        context.turnOffAuthorisationSystem();
+        GroupBuilder.createGroup(context)
+            .withName("userGroup")
+            .withParent(groupService.findByName(context, "COLLECTION_" + collection.getID() + "_SUBMIT"))
+            .addMember(eperson)
+            .build();
+        context.restoreAuthSystemState();
+
+        String token = getAuthToken(eperson.getEmail(), password);
+
+        // Verify an ePerson in a subgroup of submitter group doesn't have this feature
+        getClient(token).perform(get("/api/authz/authorizations/search/object?embed=feature&uri="
+            + "http://localhost/api/core/site/" + siteService.findSite(context).getID()))
+            .andExpect(status().isOk())
+            .andExpect(
+                jsonPath("$._embedded.authorizations[?(@._embedded.feature.id=='isComColAdmin')]")
+                    .doesNotExist());
+    }
+
+    @Test
+    public void testSubSubGroupOfAdminGroup() throws Exception {
+        context.turnOffAuthorisationSystem();
+        Group groupB = GroupBuilder.createGroup(context)
+            .withName("GroupB")
+            .withParent(groupService.findByName(context, Group.ADMIN))
+            .build();
+        GroupBuilder.createGroup(context)
+            .withName("GroupA")
+            .withParent(groupB)
+            .addMember(eperson)
+            .build();
+        context.restoreAuthSystemState();
+
+        String token = getAuthToken(eperson.getEmail(), password);
+
+        // Verify an ePerson in a sub-subgroup of the site administrators has this feature
+        getClient(token).perform(get("/api/authz/authorizations/search/object?embed=feature&uri="
+            + "http://localhost/api/core/site/" + siteService.findSite(context).getID()))
+            .andExpect(status().isOk())
+            .andExpect(
+                jsonPath("$._embedded.authorizations[?(@._embedded.feature.id=='isComColAdmin')]")
+                    .exists());
+    }
+
+    @Test
+    public void testSubSubGroupOfCommunityAdminGroup() throws Exception {
+        context.turnOffAuthorisationSystem();
+        Group groupB = GroupBuilder.createGroup(context)
+            .withName("GroupB")
+            .withParent(groupService.findByName(context, "COMMUNITY_" + topLevelCommunity.getID() + "_ADMIN"))
+            .build();
+        GroupBuilder.createGroup(context)
+            .withName("GroupA")
+            .withParent(groupB)
+            .addMember(eperson)
+            .build();
+        context.restoreAuthSystemState();
+
+        String token = getAuthToken(eperson.getEmail(), password);
+
+        // Verify an ePerson in a sub-subgroup of a community admin group has this feature
+        getClient(token).perform(get("/api/authz/authorizations/search/object?embed=feature&uri="
+            + "http://localhost/api/core/site/" + siteService.findSite(context).getID()))
+            .andExpect(status().isOk())
+            .andExpect(
+                jsonPath("$._embedded.authorizations[?(@._embedded.feature.id=='isComColAdmin')]")
+                    .exists());
+    }
+
+    @Test
+    public void testSubSubGroupOfSubCommunityAdminGroup() throws Exception {
+        context.turnOffAuthorisationSystem();
+        Group groupB = GroupBuilder.createGroup(context)
+            .withName("GroupB")
+            .withParent(groupService.findByName(context, "COMMUNITY_" + subCommunity.getID() + "_ADMIN"))
+            .build();
+        GroupBuilder.createGroup(context)
+            .withName("GroupA")
+            .withParent(groupB)
+            .addMember(eperson)
+            .build();
+        context.restoreAuthSystemState();
+
+        String token = getAuthToken(eperson.getEmail(), password);
+
+        // Verify an ePerson in a sub-subgroup of a subcommunity admin group has this feature
+        getClient(token).perform(get("/api/authz/authorizations/search/object?embed=feature&uri="
+            + "http://localhost/api/core/site/" + siteService.findSite(context).getID()))
+            .andExpect(status().isOk())
+            .andExpect(
+                jsonPath("$._embedded.authorizations[?(@._embedded.feature.id=='isComColAdmin')]")
+                    .exists());
+    }
+
+    @Test
+    public void testSubSubGroupOfCollectionAdminGroup() throws Exception {
+        context.turnOffAuthorisationSystem();
+        Group groupB = GroupBuilder.createGroup(context)
+            .withName("GroupB")
+            .withParent(groupService.findByName(context, "COLLECTION_" + collection.getID() + "_ADMIN"))
+            .build();
+        GroupBuilder.createGroup(context)
+            .withName("GroupA")
+            .withParent(groupB)
+            .addMember(eperson)
+            .build();
+        context.restoreAuthSystemState();
+
+        String token = getAuthToken(eperson.getEmail(), password);
+
+        // Verify an ePerson in a sub-subgroup of a collection admin group has this feature
+        getClient(token).perform(get("/api/authz/authorizations/search/object?embed=feature&uri="
+            + "http://localhost/api/core/site/" + siteService.findSite(context).getID()))
+            .andExpect(status().isOk())
+            .andExpect(
+                jsonPath("$._embedded.authorizations[?(@._embedded.feature.id=='isComColAdmin')]")
+                    .exists());
+    }
+
+    @Test
+    public void testSubSubGroupOfSubmitterGroup() throws Exception {
+        context.turnOffAuthorisationSystem();
+        Group groupB = GroupBuilder.createGroup(context)
+            .withName("GroupB")
+            .withParent(groupService.findByName(context, "COLLECTION_" + collection.getID() + "_SUBMIT"))
+            .build();
+        GroupBuilder.createGroup(context)
+            .withName("GroupA")
+            .withParent(groupB)
+            .addMember(eperson)
+            .build();
+        context.restoreAuthSystemState();
+
+        String token = getAuthToken(eperson.getEmail(), password);
+
+        // Verify an ePerson in a sub-subgroup of submitter group doesn't have this feature
+        getClient(token).perform(get("/api/authz/authorizations/search/object?embed=feature&uri="
+            + "http://localhost/api/core/site/" + siteService.findSite(context).getID()))
+            .andExpect(status().isOk())
+            .andExpect(
+                jsonPath("$._embedded.authorizations[?(@._embedded.feature.id=='isComColAdmin')]")
+                    .doesNotExist());
+    }
+}

dspace-server-webapp/src/test/java/org/dspace/app/rest/authorization/CommunityAdminFeatureIT.java

@@ -0,0 +1,816 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+package org.dspace.app.rest.authorization;
+
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+import org.dspace.app.rest.matcher.CommunityMatcher;
+import org.dspace.app.rest.test.AbstractControllerIntegrationTest;
+import org.dspace.builder.CollectionBuilder;
+import org.dspace.builder.CommunityBuilder;
+import org.dspace.builder.EPersonBuilder;
+import org.dspace.builder.GroupBuilder;
+import org.dspace.builder.ResourcePolicyBuilder;
+import org.dspace.content.Collection;
+import org.dspace.content.Community;
+import org.dspace.content.service.SiteService;
+import org.dspace.core.Constants;
+import org.dspace.eperson.EPerson;
+import org.dspace.eperson.Group;
+import org.dspace.eperson.service.GroupService;
+import org.dspace.services.ConfigurationService;
+import org.hamcrest.Matchers;
+import org.junit.Before;
+import org.junit.Test;
+import org.springframework.beans.factory.annotation.Autowired;
+
+public class CommunityAdminFeatureIT extends AbstractControllerIntegrationTest {
+
+    @Autowired
+    private SiteService siteService;
+
+    @Autowired
+    private ConfigurationService configurationService;
+
+    @Autowired
+    private GroupService groupService;
+
+    private Community topLevelCommunityA;
+    private Community subCommunityA;
+    private Community communityB;
+    private Community communityC;
+    private Collection collectionA;
+
+    private EPerson topLevelCommunityAAdmin;
+    private EPerson subCommunityAAdmin;
+    private EPerson collectionAdmin;
+    private EPerson submitter;
+
+    @Override
+    @Before
+    public void setUp() throws Exception {
+        super.setUp();
+
+        context.turnOffAuthorisationSystem();
+
+        topLevelCommunityAAdmin = EPersonBuilder.createEPerson(context)
+            .withNameInMetadata("Jhon", "Brown")
+            .withEmail("topLevelCommunityAAdmin@my.edu")
+            .withPassword(password)
+            .build();
+        topLevelCommunityA = CommunityBuilder.createCommunity(context)
+            .withName("The name of this community is topLevelCommunityA")
+            .withAdminGroup(topLevelCommunityAAdmin)
+            .build();
+
+        subCommunityAAdmin = EPersonBuilder.createEPerson(context)
+            .withNameInMetadata("Jhon", "Brown")
+            .withEmail("subCommunityAAdmin@my.edu")
+            .withPassword(password)
+            .build();
+        subCommunityA = CommunityBuilder.createCommunity(context)
+            .withName("The name of this sub-community is subCommunityA")
+            .withAdminGroup(subCommunityAAdmin)
+            .addParentCommunity(context, topLevelCommunityA)
+            .build();
+
+        submitter = EPersonBuilder.createEPerson(context)
+            .withNameInMetadata("Jhon", "Brown")
+            .withEmail("submitter@my.edu")
+            .withPassword(password)
+            .build();
+        collectionAdmin = EPersonBuilder.createEPerson(context)
+            .withNameInMetadata("Jhon", "Brown")
+            .withEmail("collectionAdmin@my.edu")
+            .withPassword(password)
+            .build();
+        collectionA = CollectionBuilder.createCollection(context, subCommunityA)
+            .withName("The name of this collection is collectionA")
+            .withAdminGroup(collectionAdmin)
+            .withSubmitterGroup(submitter)
+            .build();
+
+        context.restoreAuthSystemState();
+
+        configurationService.setProperty(
+            "org.dspace.app.rest.authorization.AlwaysThrowExceptionFeature.turnoff", "true");
+    }
+
+    @Test
+    public void testAdmin() throws Exception {
+        String token = getAuthToken(admin.getEmail(), password);
+
+        // Verify the general admin has this feature
+        getClient(token).perform(get("/api/authz/authorizations/search/object?embed=feature&uri="
+            + "http://localhost/api/core/site/" + siteService.findSite(context).getID()))
+            .andExpect(status().isOk())
+            .andExpect(
+                jsonPath("$._embedded.authorizations[?(@._embedded.feature.id=='isCommunityAdmin')]")
+                    .exists());
+    }
+
+    @Test
+    public void testCommunityAdmin() throws Exception {
+        String token = getAuthToken(topLevelCommunityAAdmin.getEmail(), password);
+
+        // Verify the community admin has this feature
+        getClient(token).perform(get("/api/authz/authorizations/search/object?embed=feature&uri="
+            + "http://localhost/api/core/site/" + siteService.findSite(context).getID()))
+            .andExpect(status().isOk())
+            .andExpect(
+                jsonPath("$._embedded.authorizations[?(@._embedded.feature.id=='isCommunityAdmin')]")
+                    .exists());
+    }
+
+    @Test
+    public void testSubCommunityAdmin() throws Exception {
+        String token = getAuthToken(subCommunityAAdmin.getEmail(), password);
+
+        // Verify the subcommunity admin has this feature
+        getClient(token).perform(get("/api/authz/authorizations/search/object?embed=feature&uri="
+            + "http://localhost/api/core/site/" + siteService.findSite(context).getID()))
+            .andExpect(status().isOk())
+            .andExpect(
+                jsonPath("$._embedded.authorizations[?(@._embedded.feature.id=='isCommunityAdmin')]")
+                    .exists());
+    }
+
+    @Test
+    public void testCollectionAdmin() throws Exception {
+        String token = getAuthToken(collectionAdmin.getEmail(), password);
+
+        // Verify the collection admin doesn't have this feature
+        getClient(token).perform(get("/api/authz/authorizations/search/object?embed=feature&uri="
+            + "http://localhost/api/core/site/" + siteService.findSite(context).getID()))
+            .andExpect(status().isOk())
+            .andExpect(
+                jsonPath("$._embedded.authorizations[?(@._embedded.feature.id=='isCommunityAdmin')]")
+                    .doesNotExist());
+    }
+
+    @Test
+    public void testSubmitter() throws Exception {
+        String token = getAuthToken(submitter.getEmail(), password);
+
+        // Verify a submitter doesn't have this feature
+        getClient(token).perform(get("/api/authz/authorizations/search/object?embed=feature&uri="
+            + "http://localhost/api/core/site/" + siteService.findSite(context).getID()))
+            .andExpect(status().isOk())
+            .andExpect(
+                jsonPath("$._embedded.authorizations[?(@._embedded.feature.id=='isCommunityAdmin')]")
+                    .doesNotExist());
+    }
+
+    @Test
+    public void testSubGroupOfAdminGroup() throws Exception {
+        context.turnOffAuthorisationSystem();
+        GroupBuilder.createGroup(context)
+            .withName("userGroup")
+            .withParent(groupService.findByName(context, Group.ADMIN))
+            .addMember(eperson)
+            .build();
+        context.restoreAuthSystemState();
+
+        String token = getAuthToken(eperson.getEmail(), password);
+
+        // Verify an ePerson in a subgroup of the site administrators has this feature
+        getClient(token).perform(get("/api/authz/authorizations/search/object?embed=feature&uri="
+            + "http://localhost/api/core/site/" + siteService.findSite(context).getID()))
+            .andExpect(status().isOk())
+            .andExpect(
+                jsonPath("$._embedded.authorizations[?(@._embedded.feature.id=='isCommunityAdmin')]")
+                    .exists());
+    }
+
+    @Test
+    public void testSubGroupOfCommunityAdminGroup() throws Exception {
+        context.turnOffAuthorisationSystem();
+        GroupBuilder.createGroup(context)
+            .withName("userGroup")
+            .withParent(groupService.findByName(context, "COMMUNITY_" + topLevelCommunityA.getID() + "_ADMIN"))
+            .addMember(eperson)
+            .build();
+        context.restoreAuthSystemState();
+
+        String token = getAuthToken(eperson.getEmail(), password);
+
+        // Verify an ePerson in a subgroup of a community admin group has this feature
+        getClient(token).perform(get("/api/authz/authorizations/search/object?embed=feature&uri="
+            + "http://localhost/api/core/site/" + siteService.findSite(context).getID()))
+            .andExpect(status().isOk())
+            .andExpect(
+                jsonPath("$._embedded.authorizations[?(@._embedded.feature.id=='isCommunityAdmin')]")
+                    .exists());
+    }
+
+    @Test
+    public void testSubGroupOfSubCommunityAdminGroup() throws Exception {
+        context.turnOffAuthorisationSystem();
+        GroupBuilder.createGroup(context)
+            .withName("userGroup")
+            .withParent(groupService.findByName(context, "COMMUNITY_" + subCommunityA.getID() + "_ADMIN"))
+            .addMember(eperson)
+            .build();
+        context.restoreAuthSystemState();
+
+        String token = getAuthToken(eperson.getEmail(), password);
+
+        // Verify an ePerson in a subgroup of a subcommunity admin group has this feature
+        getClient(token).perform(get("/api/authz/authorizations/search/object?embed=feature&uri="
+            + "http://localhost/api/core/site/" + siteService.findSite(context).getID()))
+            .andExpect(status().isOk())
+            .andExpect(
+                jsonPath("$._embedded.authorizations[?(@._embedded.feature.id=='isCommunityAdmin')]")
+                    .exists());
+    }
+
+    @Test
+    public void testSubGroupOfCollectionAdminGroup() throws Exception {
+        context.turnOffAuthorisationSystem();
+        GroupBuilder.createGroup(context)
+            .withName("userGroup")
+            .withParent(groupService.findByName(context, "COLLECTION_" + collectionA.getID() + "_ADMIN"))
+            .addMember(eperson)
+            .build();
+        context.restoreAuthSystemState();
+
+        String token = getAuthToken(eperson.getEmail(), password);
+
+        // Verify an ePerson in a subgroup of a collection admin group doesn't have this feature
+        getClient(token).perform(get("/api/authz/authorizations/search/object?embed=feature&uri="
+            + "http://localhost/api/core/site/" + siteService.findSite(context).getID()))
+            .andExpect(status().isOk())
+            .andExpect(
+                jsonPath("$._embedded.authorizations[?(@._embedded.feature.id=='isCommunityAdmin')]")
+                    .doesNotExist());
+    }
+
+    @Test
+    public void testSubGroupOfSubmitterGroup() throws Exception {
+        context.turnOffAuthorisationSystem();
+        GroupBuilder.createGroup(context)
+            .withName("userGroup")
+            .withParent(groupService.findByName(context, "COLLECTION_" + collectionA.getID() + "_SUBMIT"))
+            .addMember(eperson)
+            .build();
+        context.restoreAuthSystemState();
+
+        String token = getAuthToken(eperson.getEmail(), password);
+
+        // Verify an ePerson in a subgroup of submitter group doesn't have this feature
+        getClient(token).perform(get("/api/authz/authorizations/search/object?embed=feature&uri="
+            + "http://localhost/api/core/site/" + siteService.findSite(context).getID()))
+            .andExpect(status().isOk())
+            .andExpect(
+                jsonPath("$._embedded.authorizations[?(@._embedded.feature.id=='isCommunityAdmin')]")
+                    .doesNotExist());
+    }
+
+    @Test
+    public void testSubSubGroupOfAdminGroup() throws Exception {
+        context.turnOffAuthorisationSystem();
+        Group groupB = GroupBuilder.createGroup(context)
+            .withName("GroupB")
+            .withParent(groupService.findByName(context, Group.ADMIN))
+            .build();
+        GroupBuilder.createGroup(context)
+            .withName("GroupA")
+            .withParent(groupB)
+            .addMember(eperson)
+            .build();
+        context.restoreAuthSystemState();
+
+        String token = getAuthToken(eperson.getEmail(), password);
+
+        // Verify an ePerson in a sub-subgroup of the site administrators has this feature
+        getClient(token).perform(get("/api/authz/authorizations/search/object?embed=feature&uri="
+            + "http://localhost/api/core/site/" + siteService.findSite(context).getID()))
+            .andExpect(status().isOk())
+            .andExpect(
+                jsonPath("$._embedded.authorizations[?(@._embedded.feature.id=='isCommunityAdmin')]")
+                    .exists());
+    }
+
+    @Test
+    public void testSubSubGroupOfCommunityAdminGroup() throws Exception {
+        context.turnOffAuthorisationSystem();
+        Group groupB = GroupBuilder.createGroup(context)
+            .withName("GroupB")
+            .withParent(groupService.findByName(context, "COMMUNITY_" + topLevelCommunityA.getID() + "_ADMIN"))
+            .build();
+        GroupBuilder.createGroup(context)
+            .withName("GroupA")
+            .withParent(groupB)
+            .addMember(eperson)
+            .build();
+        context.restoreAuthSystemState();
+
+        String token = getAuthToken(eperson.getEmail(), password);
+
+        // Verify an ePerson in a sub-subgroup of a community admin group has this feature
+        getClient(token).perform(get("/api/authz/authorizations/search/object?embed=feature&uri="
+            + "http://localhost/api/core/site/" + siteService.findSite(context).getID()))
+            .andExpect(status().isOk())
+            .andExpect(
+                jsonPath("$._embedded.authorizations[?(@._embedded.feature.id=='isCommunityAdmin')]")
+                    .exists());
+    }
+
+    @Test
+    public void testSubSubGroupOfSubCommunityAdminGroup() throws Exception {
+        context.turnOffAuthorisationSystem();
+        Group groupB = GroupBuilder.createGroup(context)
+            .withName("GroupB")
+            .withParent(groupService.findByName(context, "COMMUNITY_" + subCommunityA.getID() + "_ADMIN"))
+            .build();
+        GroupBuilder.createGroup(context)
+            .withName("GroupA")
+            .withParent(groupB)
+            .addMember(eperson)
+            .build();
+        context.restoreAuthSystemState();
+
+        String token = getAuthToken(eperson.getEmail(), password);
+
+        // Verify an ePerson in a sub-subgroup of a subcommunity admin group has this feature
+        getClient(token).perform(get("/api/authz/authorizations/search/object?embed=feature&uri="
+            + "http://localhost/api/core/site/" + siteService.findSite(context).getID()))
+            .andExpect(status().isOk())
+            .andExpect(
+                jsonPath("$._embedded.authorizations[?(@._embedded.feature.id=='isCommunityAdmin')]")
+                    .exists());
+    }
+
+    @Test
+    public void testSubSubGroupOfCollectionAdminGroup() throws Exception {
+        context.turnOffAuthorisationSystem();
+        Group groupB = GroupBuilder.createGroup(context)
+            .withName("GroupB")
+            .withParent(groupService.findByName(context, "COLLECTION_" + collectionA.getID() + "_ADMIN"))
+            .build();
+        GroupBuilder.createGroup(context)
+            .withName("GroupA")
+            .withParent(groupB)
+            .addMember(eperson)
+            .build();
+        context.restoreAuthSystemState();
+
+        String token = getAuthToken(eperson.getEmail(), password);
+
+        // Verify an ePerson in a sub-subgroup of a collection admin group doesn't have this feature
+        getClient(token).perform(get("/api/authz/authorizations/search/object?embed=feature&uri="
+            + "http://localhost/api/core/site/" + siteService.findSite(context).getID()))
+            .andExpect(status().isOk())
+            .andExpect(
+                jsonPath("$._embedded.authorizations[?(@._embedded.feature.id=='isCommunityAdmin')]")
+                    .doesNotExist());
+    }
+
+    @Test
+    public void testSubSubGroupOfSubmitterGroup() throws Exception {
+        context.turnOffAuthorisationSystem();
+        Group groupB = GroupBuilder.createGroup(context)
+            .withName("GroupB")
+            .withParent(groupService.findByName(context, "COLLECTION_" + collectionA.getID() + "_SUBMIT"))
+            .build();
+        GroupBuilder.createGroup(context)
+            .withName("GroupA")
+            .withParent(groupB)
+            .addMember(eperson)
+            .build();
+        context.restoreAuthSystemState();
+
+        String token = getAuthToken(eperson.getEmail(), password);
+
+        // Verify an ePerson in a sub-subgroup of submitter group doesn't have this feature
+        getClient(token).perform(get("/api/authz/authorizations/search/object?embed=feature&uri="
+            + "http://localhost/api/core/site/" + siteService.findSite(context).getID()))
+            .andExpect(status().isOk())
+            .andExpect(
+                jsonPath("$._embedded.authorizations[?(@._embedded.feature.id=='isCommunityAdmin')]")
+                    .doesNotExist());
+    }
+
+    // findAdminAuthorized
+    @Test
+    public void testAdminSearch() throws Exception {
+        context.turnOffAuthorisationSystem();
+        ResourcePolicyBuilder.createResourcePolicy(context)
+            .withDspaceObject(topLevelCommunityA)
+            .withAction(Constants.ADMIN)
+            .withUser(admin)
+            .build();
+        communityB = CommunityBuilder.createCommunity(context)
+            .withName("topLevelCommunityB is a very original name")
+            .withAdminGroup(admin)
+            .build();
+        communityC = CommunityBuilder.createCommunity(context)
+            .withName("the last community is topLevelCommunityC")
+            .build();
+        context.restoreAuthSystemState();
+
+        String token = getAuthToken(admin.getEmail(), password);
+
+        // Verify the site admin gets all communities
+        getClient(token).perform(get("/api/core/communities/search/findAdminAuthorized"))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$._embedded.communities", Matchers.containsInAnyOrder(
+                CommunityMatcher.matchProperties(topLevelCommunityA.getName(), topLevelCommunityA.getID(),
+                    topLevelCommunityA.getHandle()),
+                CommunityMatcher.matchProperties(subCommunityA.getName(), subCommunityA.getID(),
+                    subCommunityA.getHandle()),
+                CommunityMatcher.matchProperties(communityB.getName(), communityB.getID(), communityB.getHandle()),
+                CommunityMatcher.matchProperties(communityC.getName(), communityC.getID(), communityC.getHandle())
+            )));
+
+        // Verify the search only shows dso's which according to the query
+        getClient(token).perform(get("/api/core/communities/search/findAdminAuthorized")
+            .param("query", communityB.getName()))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$._embedded.communities", Matchers.containsInAnyOrder(
+                CommunityMatcher.matchProperties(communityB.getName(), communityB.getID(), communityB.getHandle())
+            )));
+    }
+
+    @Test
+    public void testCommunityAdminSearch() throws Exception {
+        context.turnOffAuthorisationSystem();
+        communityB = CommunityBuilder.createCommunity(context)
+            .withName("topLevelCommunityB is a very original name")
+            .withAdminGroup(topLevelCommunityAAdmin)
+            .build();
+        communityC = CommunityBuilder.createCommunity(context)
+            .withName("the last community is named topLevelCommunityC")
+            .build();
+        context.restoreAuthSystemState();
+
+        String token = getAuthToken(topLevelCommunityAAdmin.getEmail(), password);
+
+        // Verify the community admin gets all the communities he's admin for
+        getClient(token).perform(get("/api/core/communities/search/findAdminAuthorized"))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$._embedded.communities", Matchers.containsInAnyOrder(
+                CommunityMatcher.matchProperties(topLevelCommunityA.getName(), topLevelCommunityA.getID(),
+                    topLevelCommunityA.getHandle()),
+                CommunityMatcher.matchProperties(subCommunityA.getName(), subCommunityA.getID(),
+                    subCommunityA.getHandle()),
+                CommunityMatcher.matchProperties(communityB.getName(), communityB.getID(), communityB.getHandle())
+            )));
+
+        // Verify the search only shows dso's which according to the query
+        getClient(token).perform(get("/api/core/communities/search/findAdminAuthorized")
+            .param("query", communityB.getName()))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$._embedded.communities", Matchers.containsInAnyOrder(
+                CommunityMatcher.matchProperties(communityB.getName(), communityB.getID(), communityB.getHandle())
+            )));
+
+        // Verify that a query doesn't show dso's which the user doesn't have rights for
+        getClient(token).perform(get("/api/core/communities/search/findAdminAuthorized")
+            .param("query", communityC.getName()))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$._embedded.communities").doesNotExist());
+    }
+
+    @Test
+    public void testSubCommunityAdminSearch() throws Exception {
+        context.turnOffAuthorisationSystem();
+        communityB = CommunityBuilder.createCommunity(context)
+            .withName("topLevelCommunityB is a very original name")
+            .addParentCommunity(context, topLevelCommunityA)
+            .withAdminGroup(subCommunityAAdmin)
+            .build();
+        communityC = CommunityBuilder.createCommunity(context)
+            .withName("the last community is topLevelCommunityC")
+            .addParentCommunity(context, topLevelCommunityA)
+            .build();
+        context.restoreAuthSystemState();
+
+        String token = getAuthToken(subCommunityAAdmin.getEmail(), password);
+
+        // Verify the community admin gets all the communities he's admin for
+        getClient(token).perform(get("/api/core/communities/search/findAdminAuthorized"))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$._embedded.communities", Matchers.containsInAnyOrder(
+                CommunityMatcher.matchProperties(subCommunityA.getName(), subCommunityA.getID(),
+                    subCommunityA.getHandle()),
+                CommunityMatcher.matchProperties(communityB.getName(), communityB.getID(), communityB.getHandle())
+            )));
+
+        // Verify the search only shows dso's which according to the query
+        getClient(token).perform(get("/api/core/communities/search/findAdminAuthorized")
+            .param("query", communityB.getName()))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$._embedded.communities", Matchers.containsInAnyOrder(
+                CommunityMatcher.matchProperties(communityB.getName(), communityB.getID(), communityB.getHandle())
+            )));
+
+        // Verify that a query doesn't show dso's which the user doesn't have rights for
+        getClient(token).perform(get("/api/core/communities/search/findAdminAuthorized")
+            .param("query", communityC.getName()))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$._embedded.communities").doesNotExist());
+    }
+
+    @Test
+    public void testCollectionAdminSearch() throws Exception {
+        context.turnOffAuthorisationSystem();
+        communityB = CommunityBuilder.createCommunity(context)
+            .withName("topLevelCommunityB is a very original name")
+            .addParentCommunity(context, topLevelCommunityA)
+            .build();
+        communityC = CommunityBuilder.createCommunity(context)
+            .withName("the last community is topLevelCommunityC")
+            .addParentCommunity(context, topLevelCommunityA)
+            .build();
+        context.restoreAuthSystemState();
+
+        String token = getAuthToken(collectionAdmin.getEmail(), password);
+
+        // Verify the collection admin doesn't have any matches for communities
+        getClient(token).perform(get("/api/core/communities/search/findAdminAuthorized"))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$._embedded.communities").doesNotExist());
+
+        // Verify the search only shows dso's which according to the query
+        getClient(token).perform(get("/api/core/communities/search/findAdminAuthorized")
+            .param("query", communityB.getName()))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$._embedded.communities").doesNotExist());
+
+        // Verify that a query doesn't show dso's which the user doesn't have rights for
+        getClient(token).perform(get("/api/core/communities/search/findAdminAuthorized")
+            .param("query", communityC.getName()))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$._embedded.communities").doesNotExist());
+    }
+
+    @Test
+    public void testSubmitterSearch() throws Exception {
+        context.turnOffAuthorisationSystem();
+        communityB = CommunityBuilder.createCommunity(context)
+            .withName("topLevelCommunityB is a very original name")
+            .addParentCommunity(context, topLevelCommunityA)
+            .build();
+        communityC = CommunityBuilder.createCommunity(context)
+            .withName("the last community is topLevelCommunityC")
+            .addParentCommunity(context, topLevelCommunityA)
+            .build();
+        context.restoreAuthSystemState();
+
+        String token = getAuthToken(submitter.getEmail(), password);
+
+        // Verify the submitter doesn't have any matches for communities
+        getClient(token).perform(get("/api/core/communities/search/findAdminAuthorized"))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$._embedded.communities").doesNotExist());
+
+        // Verify the search only shows dso's which according to the query
+        getClient(token).perform(get("/api/core/communities/search/findAdminAuthorized")
+            .param("query", communityB.getName()))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$._embedded.communities").doesNotExist());
+
+        // Verify that a query doesn't show dso's which the user doesn't have rights for
+        getClient(token).perform(get("/api/core/communities/search/findAdminAuthorized")
+            .param("query", communityC.getName()))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$._embedded.communities").doesNotExist());
+    }
+
+    @Test
+    public void testSubGroupOfAdminGroupSearch() throws Exception {
+        context.turnOffAuthorisationSystem();
+        GroupBuilder.createGroup(context)
+            .withName("adminSubGroup")
+            .withParent(groupService.findByName(context, Group.ADMIN))
+            .addMember(eperson)
+            .build();
+        communityB = CommunityBuilder.createCommunity(context)
+            .withName("topLevelCommunityB is a very original name")
+            .build();
+        communityC = CommunityBuilder.createCommunity(context)
+            .withName("the last community is topLevelCommunityC")
+            .build();
+        context.restoreAuthSystemState();
+
+        String token = getAuthToken(eperson.getEmail(), password);
+
+        // Verify the site admins' subgroups members get all communities
+        getClient(token).perform(get("/api/core/communities/search/findAdminAuthorized"))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$._embedded.communities", Matchers.containsInAnyOrder(
+                CommunityMatcher.matchProperties(topLevelCommunityA.getName(), topLevelCommunityA.getID(),
+                    topLevelCommunityA.getHandle()),
+                CommunityMatcher.matchProperties(subCommunityA.getName(), subCommunityA.getID(),
+                    subCommunityA.getHandle()),
+                CommunityMatcher.matchProperties(communityB.getName(), communityB.getID(), communityB.getHandle()),
+                CommunityMatcher.matchProperties(communityC.getName(), communityC.getID(), communityC.getHandle())
+            )));
+
+        // Verify the search only shows dso's which according to the query
+        getClient(token).perform(get("/api/core/communities/search/findAdminAuthorized")
+            .param("query", communityB.getName()))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$._embedded.communities", Matchers.containsInAnyOrder(
+                CommunityMatcher.matchProperties(communityB.getName(), communityB.getID(), communityB.getHandle())
+            )));
+    }
+
+    @Test
+    public void testSubGroupOfCommunityAdminGroupSearch() throws Exception {
+        context.turnOffAuthorisationSystem();
+        GroupBuilder.createGroup(context)
+            .withName("communityAdminSubGroup")
+            .withParent(groupService.findByName(context, "COMMUNITY_" + topLevelCommunityA.getID() + "_ADMIN"))
+            .addMember(eperson)
+            .build();
+        communityB = CommunityBuilder.createCommunity(context)
+            .withName("topLevelCommunityB is a very original name")
+            .build();
+        communityC = CommunityBuilder.createCommunity(context)
+            .withName("the last community is topLevelCommunityC")
+            .build();
+        ResourcePolicyBuilder.createResourcePolicy(context)
+            .withDspaceObject(communityB)
+            .withAction(Constants.ADMIN)
+            .withGroup(groupService.findByName(context, "COMMUNITY_" + topLevelCommunityA.getID() + "_ADMIN"))
+            .build();
+        context.restoreAuthSystemState();
+
+        String token = getAuthToken(eperson.getEmail(), password);
+
+        // Verify the community admins' subgroup users get all the communities he's admin for
+        getClient(token).perform(get("/api/core/communities/search/findAdminAuthorized"))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$._embedded.communities", Matchers.containsInAnyOrder(
+                CommunityMatcher.matchProperties(topLevelCommunityA.getName(), topLevelCommunityA.getID(),
+                    topLevelCommunityA.getHandle()),
+                CommunityMatcher.matchProperties(subCommunityA.getName(), subCommunityA.getID(),
+                    subCommunityA.getHandle()),
+                CommunityMatcher.matchProperties(communityB.getName(), communityB.getID(), communityB.getHandle())
+            )));
+
+        // Verify the search only shows dso's which according to the query
+        getClient(token).perform(get("/api/core/communities/search/findAdminAuthorized")
+            .param("query", communityB.getName()))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$._embedded.communities", Matchers.containsInAnyOrder(
+                CommunityMatcher.matchProperties(communityB.getName(), communityB.getID(), communityB.getHandle())
+            )));
+
+        // Verify that a query doesn't show dso's which the user doesn't have rights for
+        getClient(token).perform(get("/api/core/communities/search/findAdminAuthorized")
+            .param("query", communityC.getName()))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$._embedded.communities").doesNotExist());
+    }
+
+    @Test
+    public void testSubGroupOfSubCommunityAdminGroupSearch() throws Exception {
+        context.turnOffAuthorisationSystem();
+        GroupBuilder.createGroup(context)
+            .withName("communityAdminSubGroup")
+            .withParent(groupService.findByName(context, "COMMUNITY_" + subCommunityA.getID() + "_ADMIN"))
+            .addMember(eperson)
+            .build();
+        communityB = CommunityBuilder.createCommunity(context)
+            .withName("topLevelCommunityB is a very original name")
+            .addParentCommunity(context, topLevelCommunityA)
+            .build();
+        communityC = CommunityBuilder.createCommunity(context)
+            .withName("the last community is topLevelCommunityC")
+            .addParentCommunity(context, topLevelCommunityA)
+            .build();
+        ResourcePolicyBuilder.createResourcePolicy(context)
+            .withDspaceObject(communityB)
+            .withAction(Constants.ADMIN)
+            .withGroup(groupService.findByName(context, "COMMUNITY_" + subCommunityA.getID() + "_ADMIN"))
+            .build();
+        context.restoreAuthSystemState();
+
+        String token = getAuthToken(eperson.getEmail(), password);
+
+        // Verify the sub-community admins' subgroup users get all the communities he's admin for
+        getClient(token).perform(get("/api/core/communities/search/findAdminAuthorized"))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$._embedded.communities", Matchers.containsInAnyOrder(
+                CommunityMatcher.matchProperties(subCommunityA.getName(), subCommunityA.getID(),
+                    subCommunityA.getHandle()),
+                CommunityMatcher.matchProperties(communityB.getName(), communityB.getID(), communityB.getHandle())
+            )));
+
+        // Verify the search only shows dso's which according to the query
+        getClient(token).perform(get("/api/core/communities/search/findAdminAuthorized")
+            .param("query", communityB.getName()))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$._embedded.communities", Matchers.containsInAnyOrder(
+                CommunityMatcher.matchProperties(communityB.getName(), communityB.getID(), communityB.getHandle())
+            )));
+
+        // Verify that a query doesn't show dso's which the user doesn't have rights for
+        getClient(token).perform(get("/api/core/communities/search/findAdminAuthorized")
+            .param("query", communityC.getName()))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$._embedded.communities").doesNotExist());
+    }
+
+    @Test
+    public void testSubGroupOfCollectionAdminGroupSearch() throws Exception {
+        context.turnOffAuthorisationSystem();
+        GroupBuilder.createGroup(context)
+            .withName("collectionAdminSubGroup")
+            .withParent(groupService.findByName(context, "COLLECTION_" + collectionA.getID() + "_ADMIN"))
+            .addMember(eperson)
+            .build();
+        communityB = CommunityBuilder.createCommunity(context)
+            .withName("topLevelCommunityB is a very original name")
+            .addParentCommunity(context, topLevelCommunityA)
+            .build();
+        Collection collectionB = CollectionBuilder.createCollection(context, communityB)
+            .withName("collectionB")
+            .build();
+        ResourcePolicyBuilder.createResourcePolicy(context)
+            .withDspaceObject(collectionB)
+            .withAction(Constants.ADMIN)
+            .withGroup(groupService.findByName(context, "COLLECTION_" + collectionA.getID() + "_ADMIN"))
+            .build();
+        communityC = CommunityBuilder.createCommunity(context)
+            .withName("the last community is topLevelCommunityC")
+            .addParentCommunity(context, topLevelCommunityA)
+            .build();
+        context.restoreAuthSystemState();
+
+        String token = getAuthToken(eperson.getEmail(), password);
+
+        // Verify the collection admins' subgroup members don't have any matches for communities
+        getClient(token).perform(get("/api/core/communities/search/findAdminAuthorized"))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$._embedded.communities").doesNotExist());
+
+        // Verify the search only shows dso's which according to the query
+        getClient(token).perform(get("/api/core/communities/search/findAdminAuthorized")
+            .param("query", communityB.getName()))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$._embedded.communities").doesNotExist());
+
+        // Verify that a query doesn't show dso's which the user doesn't have rights for
+        getClient(token).perform(get("/api/core/communities/search/findAdminAuthorized")
+            .param("query", communityC.getName()))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$._embedded.communities").doesNotExist());
+    }
+
+    @Test
+    public void testSubGroupOfSubmitterGroupSearch() throws Exception {
+        context.turnOffAuthorisationSystem();
+        GroupBuilder.createGroup(context)
+            .withName("collectionAdminSubGroup")
+            .withParent(groupService.findByName(context, "COLLECTION_" + collectionA.getID() + "_SUBMIT"))
+            .addMember(eperson)
+            .build();
+        communityB = CommunityBuilder.createCommunity(context)
+            .withName("topLevelCommunityB is a very original name")
+            .addParentCommunity(context, topLevelCommunityA)
+            .build();
+        Collection collectionB = CollectionBuilder.createCollection(context, communityB)
+            .withName("collectionB")
+            .build();
+        ResourcePolicyBuilder.createResourcePolicy(context)
+            .withDspaceObject(collectionB)
+            .withAction(Constants.ADD)
+            .withGroup(groupService.findByName(context, "COLLECTION_" + collectionA.getID() + "_SUBMIT"))
+            .build();
+        communityC = CommunityBuilder.createCommunity(context)
+            .withName("the last community is topLevelCommunityC")
+            .addParentCommunity(context, topLevelCommunityA)
+            .build();
+        context.restoreAuthSystemState();
+
+        String token = getAuthToken(eperson.getEmail(), password);
+
+        // Verify an ePerson in a subgroup of submitter group doesn't have any matches for communities
+        getClient(token).perform(get("/api/core/communities/search/findAdminAuthorized"))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$._embedded.communities").doesNotExist());
+
+        // Verify the search only shows dso's which according to the query
+        getClient(token).perform(get("/api/core/communities/search/findAdminAuthorized")
+            .param("query", communityB.getName()))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$._embedded.communities").doesNotExist());
+
+        // Verify that a query doesn't show dso's which the user doesn't have rights for
+        getClient(token).perform(get("/api/core/communities/search/findAdminAuthorized")
+            .param("query", communityC.getName()))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$._embedded.communities").doesNotExist());
+    }
+}

dspace/config/spring/api/core-services.xml

@@ -27,6 +27,7 @@
 
     <bean class="org.dspace.authorize.AuthorizeServiceImpl"/>
     <bean class="org.dspace.authorize.ResourcePolicyServiceImpl"/>
+    <bean class="org.dspace.authorize.AuthorizeSolrServiceImpl"/>
 
     <bean class="org.dspace.authority.AuthorityValueServiceImpl"/>
     <bean class="org.dspace.authority.AuthorityServiceImpl"/>